It has finally happened. A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC. In a little noticed release dated August 4, 2011, the PCI SSC announced through an FAQ that as of August 3, 2011, Chief Security Officers (CSO) of Scottsdale, Arizona is no longer a QSAC. To add insult to injury, CSO was also a Payment Application Qualified Security Assessor Company (PA-QSAC) as well and that status has also been revoked. In reviewing CSO’s Web site, all references to merchant and application assessments have been removed which was likely required by the PCI SSC with the revocations. These revocations are pending any appeal by CSO and only they know if an appeal will be mounted.
The PCI SSC did not explicitly share the reasons why CSO’s statuses were revoked. But based on what little information is in the FAQ, it seems to imply that CSO was not able to provide documentation that supported their conclusions regarding the assessment opinions in their Reports On Compliance (ROC) and Reports On Validation (ROV) they had issued. While there is no public way to determine the number of ROCs that CSO has issued, in reviewing the PA-DSS certified applications list from the PCI SSC Web site, CSO had issued around 56 ROVs for payment applications.
What is interesting about this whole situation is that the PCI SSC issued the announcement as an FAQ versus the usual press release. From the FAQ, we now know something about the revocation process.
- First and foremost, it seems that the PCI SSC is finally showing its teeth regarding their quality assurance assessment process. The FAQ states, “CSO’s status as a QSA and PA-QSA was revoked only after careful review of reports and evidence submitted as part of the quality assurance program …”. The implication here is that CSO was unable to provide sufficient evidence that supported the conclusions of their assessments. The reason this is important is it seems to indicate that the PCI SSC is now including a review of work papers to determine if QSACs are collecting evidence that supports their conclusions in the Report On Compliance (ROC).
- The FAQ states, “It accompanies CSO’s inability to demonstrate sufficient improvement through a prior remediation process.” CSO had already been through the QA process once and had to go through remediation as a result of the prior QA review. CSO must have gone through the remediation process within the last two years as it was two years ago when the QA process started. Even after going through remediation, CSO was apparently not able to get through the QA assessment without being placed in remediation again. What is unclear is whether a QSAC is not allowed to go through remediation twice in a row or if the CSO situation was the outgrowth of larger QA issues that could not be corrected.
- The FAQ states that ROCs and ROVs issued by CSO and accepted by the card brands and the PCI SSC are still valid, but that any work in process will need to be conducted by a different QSAC or PA-QSAC. What I find interesting here is that while the PCI SSC QA process found that CSO was not doing their job as a QSAC or PA-QSAC, merchants and others are to accept their previously issued work and results. That seems a bit too flexible in my opinion. If CSO’s status as a QSAC and PA-QSAC has been revoked, particularly for being unable to support their conclusions, then why should any organization accept their conclusions on any previous assessments? I am particularly concerned about any payment applications certified as PA-DSS compliant.
- One thing implied by the FAQ but not explicitly stated is that all of CSO’s employees that had a QSA designation are no longer QSAs. As a result, based on my understanding of the QSA rules, they cannot go to another QSAC to retain their QSA status.
- Finally, CSO has an opportunity to appeal the PCI SSC’s revocation of the QSAC and PA-QSAC status. However, as of this writing, I have not seen anything in the press that would indicate that an appeal has been requested.
It will be interesting to see if CSO appeals this decision or just accepts the Council’s ruling.