My update with the PCI Security Standards Council….
April 30th, 2008 Drazen Drazic Posted in Bad Stuff, Dumb Security, PCI, PCI DSS |
The following is an enormous bitch about the PCI Security Standards Council. If you are sick of hearing about PCI DSS or reading about it from me, hit the “back” key now.
Securus Global/DD is industry focused so if this means I lose business because I piss off the PCI SSC, so be it! They’ve already cost me business because of how they operate. Before I rant, let me start with this from a couple of weeks ago; my last rant about them. Interesting responses! Also thought it was finally getting better at the end. Little did I know…….
Now for the latest in Fawlty Towers operations:
Since November 2007; we “intimated” a name change to Securus Global to the PCI SSC and asked for guidance on what they required from us to update the QSA listing information. Since November 2007, we have jumped through every hoop they have asked. Now we are almost in May 2008 and Securus Global is yet to be listed as a QSA. (Oh the email thread is a laugh from an outsider’s perspective!)
Now all my competitors will love to hear this, but before you get too cocky, it may/will get sorted quickly. If it does, read this as it is intended….we are and always have been client focused and if the PCI SSC wants to sort this, we want to do it for our clients and nothing else! They will not get a statement here after the fact that things are cool with us (Securus Global) because at present, they’re not and I don’t think they warrant that even if things are sorted! (Shooting myself in the foot…probably…but if you know me, that’s me!)
Either they will respond to my blunt opinions and assessment of the situation here or they will not. If the former comes into fruition, which I doubt, you will get to read some “experience” of my dealing with the PCI SSC shortly.
Sadly for the Payment Card Industry, it looks like they’ve set up a money earning beast, built on bad big time bureaucracy and a lost focus on what it is they actually want to achieve. There’s good guys working in there but maybe some not so good!
PCI DSS is good. At present PCI SSC is very questionable.
…to be continued.
April 30th, 2008 at 8:40 am
Typical of a little person employed by a big company that doesn’t have any personal impact or accountability into incompetence. Subpar individuals reflecting their poor performance on anotherwise worthy organisation.
Reflective of train station security guards drunk on their own perception of their own power and authority.
April 30th, 2008 at 9:05 am
The PCI SSC and individuals in it key job criteria is justifying their own self-worth to keep a job! Organizations like this all start off with good intentions until individuals spoil it. Your post is a good example of that!
I agree that the standards are a good thing but the certification is just a money making exercise. If you have the money, you can be a QSA. You don’t need to be a good auditor. Just pay the $$$$ - any monkey can be a QSA.
Would love to read the “email thread” if you care to share one day! Keep up the fight and good to see someone not scared to take on the establishment!
April 30th, 2008 at 9:16 am
Is the picture of the muscleman on this site the person you are dealing with at the PCI council?
LOL
April 30th, 2008 at 9:39 am
@DM1, yes $10,000 per year plus a trip to Singapore yearly (airfares/accommodation not included) for a 1 day review of what the standards are and to sit a 2 hour exam, finish it in 20 minutes…….for the privilege of being called a QSA. Easy money for some.
April 30th, 2008 at 11:16 am
I’ve previously made no secret of my skepticism for the standards (cash cow) industry.
http://beastorbuddha.com/2007/07/13/big-galoot-diatribe-standards-for-forensicsa-need/#more-108
There’s no question, there’s a need for standards.
But whilst ever there’s a big quid to be made from owning, authoring, maintaining or enforcing a ’standard’, then what is the *real* driver ?
Continuous improvement or continuous money spinning ?
BG.
April 30th, 2008 at 1:40 pm
I forgot to mention that the Visa guys in Asia Pacific have been excellent and so supportive to date. They’ve gone in to bat for us.
Funny how to get our details updated on the Visa PABP list (before that went to the PCI SSC also) took one email to Visa and it was done.