Payment card data security assessors and auditors to be assessed


WAKEFIELD Mass. Qualified security assessors and approved scanning vendors, who profit from the Payment Card Industry group’s stringent Data Security Standards for restaurateurs and merchants, now must meet minimum requirements of their own, the PCI’s Security Standards Council decreed.

“Feedback from the council’s participating organizations and others made it clear that the assessment process for the PCI standards would benefit greatly from more rigorous guidelines,” said Bob Russo, the council’s general manager. “As a result, we created a clear-cut program that will help ensure all those involved in this process are consistent, credible, competent and ethical.”

Some restaurant companies and other merchants have complained that acquiring PCI DSS certification was time consuming, in part, because of what they characterized as vague guidelines or moving target-like requirements. The process also can be costly, some said, with a contributing factor being the required use of third-party qualified security assessors, or QSAs, and approved scanning vendors, or ASVs.

The PCI Security Standards Council, based here, is made up of representatives of nearly 500 business organizations. Among them are several foodservice organizations, including Arby’s Restaurant Group Inc., Carlson Cos., CKE Restaurants Inc., Domino’s Pizza LLC, McDonald’s Corp. and Yum! Brands Inc.

Members of the security standards council also weigh in on PCI’s PIN Entry Device Security Requirements and the Payment Application Data Security initiatives.

Council representatives said Nov. 17 that participation in the new quality assurance program will be mandatory for QSAs and ASVs who want to register with that body for authorization to conduct PCI assessments.

The new quality assurance program is based on eight guiding principles. The creators said that through the program, the council and assessor community commit to, among other things, uphold the best interest of the assessor client; maintain consistent assessor procedures and reporting; interpret the PCI standards appropriately as applicable to the client’s systems and environment; and remain current with industry trends and council updates.

PCI Security Standards Council sources said the new program will be rolled out in a four-stage process throughout 2009. To interact with assessors, merchants and service providers on an ongoing basis, they said, the council will employ certification reviews, credit checks, training, educational webinars, newsletters, a dedicated e-mail service, question-and-answer documents, informational supplements and feedback forms.

Ateam of dedicated council staff will validate assessor application and renewals, ensure that training is relevant and accessible to organizations and maintain the integrity of the testing process, the council noted. It said that the team also will be responsible for assessor performance monitoring and overseeing any necessary disciplinary action, which could include probation or registration revocation.

Information about the quality assurance program and the PCI Security Standards Council can be found at [2].

The PCI Security Standards Council was formed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. It is intended to be a forum in which stakeholders can provide input into the development, enhancement and dissemination of the PCI Data Security Standard, PIN Entry Device Security Requirements and the Payment Application Data Security Standard.