Call it the “Rodney Dangerfield Effect.” Conflicts of interest seem to pervade the PCI compliance process and it is something the PCI SSC and the card brands need to clear up before their precious standards get even more bloodied in the media.
I have run across another processor that dictates the use of a particular QSAC. Now do not get me wrong, I am a capitalist and interested in making money just like the other guy. But I have to say that I am not a shark like some of my competitors. I know this post will sound like someone bemoaning sour grapes but, in my opinion, this situation just makes the whole PCI compliance process look like a worthless sham.
What prompts this post is a call with one of our clients that we have performed PCI assessments for years, even before the PCI SSC existed. They are implementing a new point of sale (POS) terminal that requires them to use a different credit card transaction processor because their existing processor is not yet certified to process transactions from this new terminal. Fair enough.
The new terminal is a test installation to see if the service should be expanded to all of our client’s locations. Since the terminal will only generate a couple of thousand transactions in the coming year, the new processor has identified our client as a Level 4 merchant and is treating them accordingly. In reviewing the processor’s contract, our client found that the contract dictates that they use a specific QSAC to “assist” them in filling out their PCI Self-Assessment Questionnaire (SAQ) A. Knowing the SAQ A, our client cannot figure out what a QSAC would do to assist, but it is in the processor’s contract.
Our client’s first question was, “Since when does a processor have the right to force us to use a particular QSA?” We explained that we have been told that while the PCI SSC and the card brands allow processors to have rules that go above and beyond the PCI SSC’s and card brand’s requirements. While I understand that the processor is likely trying to ensure that their Level 4 merchants are not just checking the ‘Yes’ box on their SAQs, forcing the use of a particular QSAC seems a bit questionable. Particularly when we have been told that some QSACs are giving processors payments for all of the customers they refer.
I have written about this issue before with processors charging fees to merchants for the filing of their SAQs. There is also the scam of forcing merchants to use a specific PCI Approved Scanning Vendor (ASV) to scan the merchant’s networks even when the merchant does not have an ecommerce presence or outsources their ecommerce to a third party that already provides their ecommerce customers ASV reports. This is just one more questionable requirement that processors demand that makes merchants and the media think PCI is a scam.
Their next question was, “Since you already do our ROC, can’t we just submit that to our new processor?” You can do that, but you need the new processor’s approval as they do not have to accept our work. What is the likelihood that the new processor will accept our client’s ROC? No idea and I am anxious to hear what our client tells us in that regard.
The problem here is that the processor in question and the QSAC have numerous connections that give a distinct impression of conflicts of interest. First, the QSAC in question runs the processor’s Level 4 merchant compliance program. That program dictates that the QSAC perform some sort of assessment process in order for any of the processor’s Level 4 merchants to create and submit their SAQ.
The justification the processor gave our client was that the PCI SSC requires this action. Last I checked, the PCI SSC and the card brands did not require a QSA to fill out an SAQ. MasterCard has a deadline of June 30, 2012 for Level 2 merchants to have either an ISA fill out their SAQ or have a QSA conduct a PCI ROC. Visa in Canada also requires that a QSA sign off on all SAQs. But those are the only SAQ rules involving QSAs that I am aware.
Next, the QSAC and the processor have swapped various personnel over the years. As a result, there is an appearance that the two are essentially one in the same given that the QSAC runs the processor’s compliance program and the processor dictates that their merchants use the QSAC for PCI assessments. I know that people move between organizations in the same industry all the time, but the number of people that have gone between these two would seem to be higher than expected.
I guess since I am an employee of a public accounting firm in the United States, I have greater sensitivity to conflicts of interest than most. The American Institute of Certified Public Accountants (AICPA) has very specific rules in regards to conflicts of interest. We have an entire department dedicated to ensuring that we avoid conflicts of interest. As a result, we regularly look at the services provided to our clients and ensure that we are not in conflict or even give an appearance of a conflict of interest.
Now I am not suggesting that the PCI SSC and card brands go to the levels that the AICPA requires. But let us face it, it is the Wild West out there and some of the QSACs do not care what conflicts they may have and how it might hurt the PCI compliance processes. The PCI SSC only requires its assessors document the services they provide to the organizations they assess in their assessment reports. While that offers a certain amount of transparency, when you read some of these ROCs, it becomes painfully obvious that some QSACs are assessing their own security services. In some cases, the organization being assessed has outsourced almost everything related to their PCI compliance to the QSAC doing their assessment. What do you think the likelihood is that those services will be assessed as not compliant if there are compliance issues? One would assume it will be very unlikely.
But it can get even worse. A certain QSAC operates one of the card brand’s merchant PCI compliance program. Merchants submit their Attestations of Compliance (AOC) and Reports On Compliance (ROC) to this card brand through the QSAC which manages the process. Does this QSAC inform their clients that accept this card brand’s cards of this fact? Not that I have ever been told by any prospects. Does the QSAC list the management of the card brand’s merchant program on their ROCs? Not that I have seen and I have seen a number of their ROCs for merchants that accept the card brand’s cards and I have never seen the program listed. Does the QSAC submit their ROCs to the program that they manage? They must as the ROCs I have seen are from merchants that accept the card brand’s cards. Is this a conflict of interest? One would think, but this is how things operate today.
The bottom line is that in this age of openness and transparency, it is these sorts of relationships and actions that give a very bad impression to the outside world. The PCI SSC and the card brands need to enhance their rules for QSACs that define conflicts of interest. Until this is done, the PCI standards will continue to be ridiculed and viewed as pointless.