QSAs: PSC and Fortrex First to Go Down in New SSC Quality Assurance Program
Neither the principals of PSC (Payment Software Company) or Fortrex, Inc. (both Qualified Security Assessors) had any comment when asked about why their companies were put on probation by the PCI Security Standards Council in late January.
Both companies appear to be lacking the appropriate work papers that are required as supporting documentation to PCI assessments. All QSACs were told about the SSC reviews of work materials in July of last year, so unless they just weren’t collecting or keeping their evidence, i’m unsure how you would screw up this badly. Maybe they didn’t believe the QA program was real?
What will be interesting to see is whether or not they are able to recover from this. I suppose that if Trustwave can be the assessor of record for 2 of the 3 most major breaches in world history and noone wants to talk about it that these guys will be fine by next quarter.
March 16th, 2009 at 6:09 am
I am the SVP, Client Services at Fortrex. I’d like to clarify your comments above. Yes, we were placed in remediation status, however, it’s not because we were lacking the appropriate work papers. We were also very much aware of the QA program when it was announced and have taken the program very seriously. As you are aware, the PCI QA review can cover any period of an assessor’s activity while certified including time well before the date you mentioned of July 2008. Even though we are remediation does not mean that we disregarded any announcement of the QA program.
The council can put an assessor in remediation for various reasons including but not limited to anything from providing proper levels of insurance, number of CPE’s, details of reports on compliance etc. I’d also like to add that we have acknowledged the issues that were discovered during the review and we are working diligently to address them. In addition, we have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes.
We have a long standing commitment to delivering world class solutions and we are committed to be in conformance with the Council as soon as possible. Additionally, we are working closely with the PCI Security Standards Council to ensure that our solutions have conformed to the strict security standards.
March 16th, 2009 at 9:44 am
Hi Chris – Thanks for the comment, and clarification as to the fact that Fortrex was not put in remediation for lacking supporting evidence or work papers.
If it wasn’t a quality of work issue, would you mind sharing what it was that caused the SSC to put you in remediation?
March 16th, 2009 at 1:36 pm
Essentially Fortrex was put into remediation status because a review of our assessment reports found that they lacked enough detail. We were told that the reports have to be more descriptive of each PCI requirement. The council made it clear that every cell within the standard needs to stand by itself.
We have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes
April 29th, 2009 at 3:17 pm
“I suppose that if Trustwave can be the assessor of record for 2 of the 3 most major breaches in world history”
I was told they are TOO BIG TO FAIL!
April 29th, 2009 at 4:06 pm
Heh.. “too big to fail.” Maybe they should have left the ATW acronym alone? It was way closer to “AIG” than “Trustwave” is.