It’s interesting that in this very educated, very suspicious society, we still at times need some help in understanding the hidden agendas of the organizations that we work with.

In the world of information security (particularly in the retail space) things are still a little ‘Wild West’ as there are not a lot of well-defined boundaries between consulting, selling product, and auditing. This creates an interesting environment where conflict of interest issues abound.

There are two areas in particular that I think it is extremely important to understand properly:

1. A PCI consultant (the person that actually works with your organization to
   prepare for a PCI audit) can also be the PCI QSA (the company/person doing the
   audit)
2. A lot of PCI QSAs are also hardware/software providers or resellers.

Think about these two things a little bit….

Let’s take a look at the first item – the person that you are paying to determine if you are compliant is also the person that wants your money for consulting to get you compliant.
Hopefully you see the potential conflict of interest there. This is a situation that the PCI council
certainly knows about and most every consulting firm (security-focused or compliance-focused) will agree to provide both of these pieces of the PCI puzzle.

I can tell you that I am currently running into a situation at a large retailer where a consultant and a QSA from the same company are in disagreement regarding PCI compliance. They have not resolved the issue and they’ve been working on it for several months. The initial thought was, fine, at least the company is keeping these two areas separate and that’s good.

In theory possibly, but in practice, this has a definite feel of conscious manipulation. How many
additional hours has the firm billed their client because they have to go back continuously to ‘fix’ the stuff that the consultant first said was OK? Weren’t they billed once for that time already? It’s kind of funny that they hadn’t really involved the acquiring bank until we told the retailer to get the
bank involved.

I also think that it’s strange that the two groups would be working with different interpretations of the standard to begin with, but I start getting really suspect when the consultant (who in theory should be the
senior, more experienced person) can’t justify his recommendations to his own company’s QSA.

This is actually an interesting situation and it’s one that NetSPI has to manage as well – we perform a ‘turn-key’ solution for a number of our clients, acting as both the consulting partner and the QSA. The nice part of our approach has to do with consistent interpretation and our commitment to getting the client successfully through the process. We’ll also sit with them and support them if there are questions from their acquirer.

Although we are performing this combined service honorably and effectively, the council is now currently asking merchants to judge the ‘character’ of their partner in addition to their competency. I think that is an unfair burden to place on the client - there needs to be something done to make this environment more
transparent.

Now, look at the second point which, in some ways, is even worse. Let me restate the issue – the company
that is telling you to change your infrastructure or software seems to sell the exact piece of hardware or software that you need to fix the problem that they’ve identified. Hmmmm.

This actually seems to happen a lot – there are two flavors of things of this issue-

1. Hardware resellers that have realized that they can move more equipment
if they control the process and use ‘PCI fear’ to drive sales

2. ‘Compliance’ firms that have
gutted their profit margins by trying to commoditize the PCI process create
products that they can sell (again through ‘PCI fear’) at a higher margin than
the services they provide.

Both of these approaches are very dangerous for the retailer because both ‘muddy up the water’ pretty significantly. Is the advice that I’m getting the best for our organization, or is it a ‘set-up?’ Are
they here as my partner that I can rely on for advise, or are they just trying to sneak through a system sale?

We’ve worked in one situation where the retailer did indeed have a vulnerability that needed to be addressed, but called us after their previous PCI consultant ‘partner’ strongly advised implementing a hardware / software fix at every store that his company would provide for the tune of $80M. That’s not a typo. We were able to help the retailer implement a fix that involved no new hardware or software at the store.

This is a problem that’s actually very easy to avoid – if you are providing advisory services or are a QSA, don’t sell hardware or software (and if your QSA / consulting partner sells hardware / software, don’t buy that from them).  NetSPI doesn’t sell anything other than our consulting. If, for some reason, we need to use some ‘outside’ software, we’ll pass the exact cost along to the client dollar-for-dollar.

That’s not meant as a ‘aren’t we great’ comment (although we are J), it’s just to give you a ‘heads-up’ and to tell you to be careful. Ask questions about who is going to be doing the work. Find out if your QSA or
consulting firm is also a hardware/software provider. If they are, ask if they will keep the commit (in writing) to keep the relationship clean.

I’m putting together a list of questions to ask your QSA / PCI advisory services partner, but I’m not ready to post that yet.  When I do, it will certainly include some questions designed to gather some insight into your partner’s approach to these items.