Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 28 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

PCI council puts five approved forensic investigators in remediation

by The Gurus
January 12, 2015
in Editor's News
Share on FacebookShare on Twitter

The PCI Security Standards Council (SSC) has placed a number of PFI level auditors “in remediation” in what is expected to be a step-up in compliance enforcement for 2015.
 
Andrew Barratt, managing director of Coalfire, told IT Security Guru that two more of the approved forensic investigators (PFIs) have been put in remediation. He said: “It looks like the PCI guys are starting crack down on some of the shoddy investigation work that has been done in the past.”
 
He confirmed that being “in remediation” basically means there were things not done properly, and quality checks failed. “It has more far reaching consequences for the PFI community as banks probably won’t use them for investigations,” he said. “Sometimes it means the SSC will not allow reports to go out – which makes the PFI pretty much unusable until it gets it act sorted.”
 
Barratt said: “It does look like the SSC has been on a significant improvement drive as a lot have been put into remediation. I do think it is fairly positive. The PCI guys get a lot of stick – but at least it shows they are stepping up the game.”
 
The PCI SSC website currently lists five of the 22 accredited companies as being in remediation: AT&T, Trustwave, Sysxnet, Protiviti and Secure State. None of those contacted by IT Security Guru chose to comment.
 
Talking about the process of being PFI accredited, Protiviti managing director Ryan Rubin said that to operate as a QSA or PFI you have to be licensed by the PCI council, so not everyone can become a PFI or a QSA.
 
He said: “Part of the PCI council’s role, in addition to the standard, is to maintain a list of companies that have been vetted to carry out this kind of work. The QSA work is a third party assurance role that companies provide by doing an assessment against the PCI standard to say that a company who processes the data are compliant with the standard or not, that is typical of the QSA, and as part of the program, we can be requested to provide output reports to the council and they do quality assurance over the quality of the work that companies provide, and needs to be done in an anonimised way.
 
“They monitor activity in the marketplace, and if there are concerns that the council has about the quality of the work or the rules that the company operates within, they have the right to put the company into remediation. What that means is that the company is given a set of improvement areas that they need to focus on to get out of remediation; they can still operate and are entitled to work as a PFI or as a QSA, it doesn’t mean that they lose their license, but it means that unless certain changes are made then there is a chance that they may not be able to operate in the future. There are opportunities for improvement in the council’s eyes and can get out of remediation.”
 
Rubin declined to comment on how Protiviti ended up in remediation, but explained that to get out of it, it just needs to carry out a piece of work and meet any of the criteria and recommendations that have been made, and show the council that those particular gaps in practise and rules have been covered.
 
He said: “One of the challenges in the PFI list is that there is not a large number of companies on it, so the council is not keen to remove people from the list as it is good to have variety to have enough competition and opportunity for companies to choo
se from auditors, but the council has a set of rules.
 
“To get to PFI you have to jump through quite a few hoops in terms of experience. It is a natural course of events that the council will undertake and it is part of the program to be regularly assessed and I don’t see it as being anything more than that.”
 
In a statement to IT Security Guru, a spokesperson for the PCI SSC said: “The PCI PFI program establishes rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to compromised entities. The program sets high expectations for PFIs and, as such, has a rigorous ongoing quality assurance component.
 
“Our focus is maintaining the integrity of our current validated PFI listings to ensure that the PFIs listed are consistently delivering high quality services. When a PFI enters remediation, it indicates there is a need for the organisation to improve in one or more areas of their operations or work product. The remediation period allows for process and work product improvement. This process allows for feedback from both the payment card brands and for entities making use of PFI services. Merchants should continue working with PFIs under remediation as they work toward satisfactory improvement of their services.”

FacebookTweetLinkedIn
Tags: ComplianceForensicPCIRegulation
ShareTweet
Previous Post

Google feels Microsoft wrath over vulnerability disclosure

Next Post

Android users below Jelly Bean will not see security updates for WebView

Recent News

software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023
ICS Reconnaissance Attacks – Introduction to Exploiting Modbus

ICS Reconnaissance Attacks – Introduction to Exploiting Modbus

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information