I just returned from the PCI Security Standards Council Annual Community Meeting I attended last week in Orlando. According to the Council there were 575 delegates from 310 different organizations in attendance, representing merchants, acquirers and vendors. This is up from 320 participants last year.  There is no doubt that PCI compliance is top-of-mind for many organizations.

Of the many topics covered, I want to share one area with you that I found particularly interesting.  The Council is introducing a Quality Assurance Program that will be phased in starting October.  Their goal is to achieve more consistency across providers, initially targeting Qualified Security Assessors (QSAs) and Authorized Scanning Vendors (ASVs).  They defined specific grading scales and remediation steps that will be taken if vendors are found to be non-compliant with program standards. The Council will review a good sampling of ASVs and QSAs each year and will post the names of those vendors who are “under review” in their Website (a sort of modern day letter “A”?).

We welcome this step by the Council.  When any new standard emerges (think SOX), vendors clamor to figure out how to take advantage of the market opportunity.  In most cases, this works well by supplying buyers with many options at a fair price.  In some case, though, vendors are looking for a way to make a quick buck, and their processes and deliverables may not meet the standards.  When the security of cardholder data is at stake, this creates unknown risk for both consumers and merchants.  It will be interesting to observe (and possibly participate!) in the process.

I'll keep you posted on what I continue to uncover. What do you think? Please share your thoughts with me along with other merchants like you by commenting on this post.

'Til next time,
Joan
The eSecurity Diva