Neither the principals of PSC (Payment Software Company) or Fortrex, Inc. (both Qualified Security Assessors) had any comment when asked about why their companies were put on probation by the PCI Security Standards Council in late January.
Both companies appear to be lacking the appropriate work papers that are required as supporting documentation to PCI assessments. All QSACs were told about the SSC reviews of work materials in July of last year, so unless they just weren't collecting or keeping their evidence, i'm unsure how you would screw up this badly. Maybe they didn't believe the QA program was real?
What will be interesting to see is whether or not they are able to recover from this. I suppose that if Trustwave can be the assessor of record for 2 of the 3 most major breaches in world history and noone wants to talk about it that these guys will be fine by next quarter.
I am the SVP, Client Services at Fortrex. I’d like to clarify your comments above. Yes, we were placed in remediation status, however, it’s not because we were lacking the appropriate work papers. We were also very much aware of the QA program when it was announced and have taken the program very seriously. As you are aware, the PCI QA review can cover any period of an assessor’s activity while certified including time well before the date you mentioned of July 2008. Even though we are remediation does not mean that we disregarded any announcement of the QA program.
ReplyDeleteThe council can put an assessor in remediation for various reasons including but not limited to anything from providing proper levels of insurance, number of CPE’s, details of reports on compliance etc. I’d also like to add that we have acknowledged the issues that were discovered during the review and we are working diligently to address them. In addition, we have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes.
We have a long standing commitment to delivering world class solutions and we are committed to be in conformance with the Council as soon as possible. Additionally, we are working closely with the PCI Security Standards Council to ensure that our solutions have conformed to the strict security standards.
Hi Chris - Thanks for the comment, and clarification as to the fact that Fortrex was not put in remediation for lacking supporting evidence or work papers.
ReplyDeleteIf it wasn't a quality of work issue, would you mind sharing what it was that caused the SSC to put you in remediation?
Essentially Fortrex was put into remediation status because a review of our assessment reports found that they lacked enough detail. We were told that the reports have to be more descriptive of each PCI requirement. The council made it clear that every cell within the standard needs to stand by itself.
ReplyDeleteWe have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes
"I suppose that if Trustwave can be the assessor of record for 2 of the 3 most major breaches in world history"
ReplyDeleteI was told they are TOO BIG TO FAIL! :-(
Heh.. "too big to fail." Maybe they should have left the ATW acronym alone? It was way closer to "AIG" than "Trustwave" is. ;-)
ReplyDelete