The PCI Security Standards Council (SSC) has placed a number of PFI level auditors “in remediation” in what is expected to be a step-up in compliance enforcement for 2015.
Andrew Barratt, managing director of Coalfire, told IT Security Guru that two more of the approved forensic investigators (PFIs) have been put in remediation. He said: “It looks like the PCI guys are starting crack down on some of the shoddy investigation work that has been done in the past.”
He confirmed that being “in remediation” basically means there were things not done properly, and quality checks failed. “It has more far reaching consequences for the PFI community as banks probably won’t use them for investigations,” he said. “Sometimes it means the SSC will not allow reports to go out – which makes the PFI pretty much unusable until it gets it act sorted.”
Barratt said: “It does look like the SSC has been on a significant improvement drive as a lot have been put into remediation. I do think it is fairly positive. The PCI guys get a lot of stick – but at least it shows they are stepping up the game.”
The PCI SSC website currently lists five of the 22 accredited companies as being in remediation: AT&T, Trustwave, Sysxnet, Protiviti and Secure State. None of those contacted by IT Security Guru chose to comment.
Talking about the process of being PFI accredited, Protiviti managing director Ryan Rubin said that to operate as a QSA or PFI you have to be licensed by the PCI council, so not everyone can become a PFI or a QSA.
He said: “Part of the PCI council’s role, in addition to the standard, is to maintain a list of companies that have been vetted to carry out this kind of work. The QSA work is a third party assurance role that companies provide by doing an assessment against the PCI standard to say that a company who processes the data are compliant with the standard or not, that is typical of the QSA, and as part of the program, we can be requested to provide output reports to the council and they do quality assurance over the quality of the work that companies provide, and needs to be done in an anonimised way.
“They monitor activity in the marketplace, and if there are concerns that the council has about the quality of the work or the rules that the company operates within, they have the right to put the company into remediation. What that means is that the company is given a set of improvement areas that they need to focus on to get out of remediation; they can still operate and are entitled to work as a PFI or as a QSA, it doesn’t mean that they lose their license, but it means that unless certain changes are made then there is a chance that they may not be able to operate in the future. There are opportunities for improvement in the council’s eyes and can get out of remediation.”
Rubin declined to comment on how Protiviti ended up in remediation, but explained that to get out of it, it just needs to carry out a piece of work and meet any of the criteria and recommendations that have been made, and show the council that those particular gaps in practise and rules have been covered.
He said: “One of the challenges in the PFI list is that there is not a large number of companies on it, so the council is not keen to remove people from the list as it is good to have variety to have enough competition and opportunity for companies to choo
se from auditors, but the council has a set of rules.
“To get to PFI you have to jump through quite a few hoops in terms of experience. It is a natural course of events that the council will undertake and it is part of the program to be regularly assessed and I don’t see it as being anything more than that.”
In a statement to IT Security Guru, a spokesperson for the PCI SSC said: “The PCI PFI program establishes rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to compromised entities. The program sets high expectations for PFIs and, as such, has a rigorous ongoing quality assurance component.
“Our focus is maintaining the integrity of our current validated PFI listings to ensure that the PFIs listed are consistently delivering high quality services. When a PFI enters remediation, it indicates there is a need for the organisation to improve in one or more areas of their operations or work product. The remediation period allows for process and work product improvement. This process allows for feedback from both the payment card brands and for entities making use of PFI services. Merchants should continue working with PFIs under remediation as they work toward satisfactory improvement of their services.”