The PCI Security Standards Council has placed Trustwave Holdings Inc.’s business of assessing payment-processing software for compliance with a major security standard “in remediation,” an official term that means probation. Chicago-based Trustwave is one of the biggest firms, if not the biggest, in the business of assessing merchants and processors for compliance with card-industry security rules.
The remediation specifically applies to Trustwave’s qualified security assessor (QSA) practice that validates compliance with the Payment Application data-security standard (PA-DSS), which governs card software. Trustwave’s QSA business for assessing compliance with the main Payment Card Industry data-security standard (PCI-DSS) is not affected.
A spokesperson for the Wakefield, Mass.-based PCI Council would not comment about Trustwave specifically. In an email message to Digital Transactions News, she says, “Remediation status does not prevent assessors from performing assessments. As part of the remediation requirements, companies agree to notify their customers that they have gone into remediation.”
The PCI Council administers and updates the PCI-DSS, the PA-DSS, and a third standard that covers PIN-accepting devices, the PIN Transaction Security standard, or PTS. The Council’s Web site lists designated QSAs, which are companies whose employees it has deemed competent to perform assessments for compliance with the PCI standards.
Merchants and processors that handle major-brand credit and debit cards hire QSAs to probe computers, point-of-sale terminals, software, and networks that handle card data as well as review employee practices and company policies to assure that sensitive cardholder information is protected. The PCI Council’s site lists 79 PA-DSS QSAs globally, with Trustwave the only one currently in remediation. According to the site, Trustwave’s PA-DSS business can operate in 16 countries and Hong Kong, including the United States.
It is not clear exactly when Trustwave went into remediation, or why. Trustwave did not answer several emailed questions from Digital Transactions News seeking details, but Doug Klotnia, Trustwave general manager of compliance and risk management, responded with this statement:
“This process gives us the opportunity to enhance our PA-DSS risk-assessment practice. We have partnered with the PCI Security Standards Council for a long time and we welcome their feedback regarding adjustments to areas of our assessment services. During the remediation process, it’s business as usual. Our clients will not be impacted in a material way.”
The PCI Council’s Web site does have a “QSA Remediation Statement” that gives general information about what can get a QSA into trouble.
“When a QSA enters remediation as part of the QSA Program quality-assurance process, it indicates there is a need for the organization to improve in one or more areas of their operations or work product,” the statement says. “These areas may include a lack of documentation in a series of reports, failure to meet business expectations with a fully operational internal QA program, failure to renew appropriate insurance coverage, or failure to comply with other requirements addressed within the validation requirements for QSAs [to] document.”
The statement also says that if “satisfactory improvement does not occur, and the assessor cannot meet the standards of service required to maintain the Council QSA designation, or if other issues arise which indicate that the QSA [is] unable to satisfactorily meet the requirements of the QSA Program, the Council may revoke the assessor’s QSA status.”
Branden R. Williams, a former QSA who is now executive vice president of strategy in the U.S. office of Ireland-based Sysnet Global Solutions, a Trustwave competitor, says he has no specific information about the Trustwave situation. But he says any number of things could land a PCI assessor in remediation.
“It could be one bad QSA, but if it’s endemic to the culture, it could be indicative of a bigger problem,” he says.