I ran into a situation recently and wanted to voice my disgust over it.
I have a friend that runs a side business with their spouse and, of course, takes credit cards for payment. They signed up with a processor and obtained a logon to the processor’s Web site for processing card transactions. A couple of months ago, he called me because he had gotten a letter from his processor saying that they needed to be PCI compliant. He called me to find out exactly what PCI compliant meant. So, I listened to how his business operated and told him to fill out and file an SAQ A with the processor since the processor gave them no guidance.
They filed the SAQ A with the processor and then got a call from the processor asking for certification of the SAQ by a QSA. The processor explained that if they did not have a QSA, the processor would charge them $185 to have a QSA certify their SAQ. So, I get a second call from my friend asking about this latest twist of events. I explained to them that having a QSA review and certify an SAQ is not a PCI requirement. As a matter of fact, the filing of an SAQ by a Level 4 merchant is recommended, but not required by the card brands.
So, now I have a call with this card processor who is demanding that my friend pay them $185 to obtain a certificate from a QSAC certifying that he is PCI compliant. I speak with a customer service supervisor who explains to me that their company requires that all merchants they process are required to work with one of their recommended QSACs or any QSAC of their choosing.
I asked them to direct me to the PCI DSS or any PCI requirement that requires a QSAC to sign off on a Level 4 merchant’s SAQ. The supervisor stated that there was no PCI SSC requirement for this; it was their Firm’s requirement. They then listed off a number of recognized QSACs that could provide such a certificate for my friend. I was shocked at the number of big QSACs that this person listed off and was surprised that some of these QSACs would be willing partners in this organization’s PCI compliance program. Unfortunately, a couple of the QSACs this person named did not surprise me as I have always questioned their motives in the PCI compliance arena.
When I asked the supervisor if I could provide a PCI Attestation Of Compliance (AOC) as my friend’s proof of compliance with the PCI DSS, I was told that an AOC was not acceptable and that as an QSAC, my firm would be required to provide a certificate. When I asked what the certificate would look like, I got an indignant answer that as a QSAC; I would already have that information. I found this extremely interesting, since no such “certificate” has ever been defined by the PCI SSC. And near as I can tell, these “certificates” would not be worth the paper they are printed on. And if shown to any of the card brands, would likely be laughed at as “proof” of anyone’s’ “compliance” with the PCI standards.
Needless to say, this conversation did not go well nor did it last much longer.
But this conversation brings up an issue with the PCI compliance program that has existed from day one. How do you keep the program relevant to merchants and service providers when you have nonsense like this going on? These sorts of actions by organizations just add fuel to the fire for critics to use as another argument as to why the PCI compliance programs are pointless and organizations should not bother with complying with any of the PCI standards.
Another problem this situation points out is how uneducated merchants are to the PCI compliance programs and processes. Even though everything about these programs is documented on the PCI SSC Web site, there are vendors and service providers that abuse their position with these organizations and knowledge of the PCI compliance programs and processes all for their financial benefit.
I have submitted a question to the PCI SSC regarding this situation and hope to have an answer from them in the next few weeks as to whether it is legal or not. I also intend to bring this situation up at the Community Meeting as well. In my view, this situation is highly questionable and in my very humble opinion the processor should be forced through some sort of remediation program just like the QSACs face.