The PCI Security Standards Council has announced a quality assurance program for qualified security assessors and approved scanning vendors.
The new program was designed to provide assessors and vendors with a set of requirements that helps ensure they provide consistent, quality validation and assessment services to merchants and service providers.
Following feedback from the council's participating organisations and assessment community, the new program is intended to promote consistent interpretation of the PCI standards and ensure quality is maintained among all vendors. Participation in the program will be required for registered assessors and vendors in order for them to retain the ability to conduct PCI assessments.
The new quality assurance program is based on eight guiding principles, which ensure the council and assessor community commit to:
1. Uphold the best interest of the assessor client
2. Adhere to validation requirements among the assessor company
3. Adhere to validation requirements among the assessor employee
4. Maintain consistent assessor procedures and reporting
5. Interpret the PCI standards appropriately as applicable to the client's systems and environment
6. Remain current with industry trends and PCI SSC updates in the assessor community
7. Report all opinions as factual, documented and defendable, and
8. Maintain a positive relationship between the assessor and PCI SSC.
Bob Russo, general manager of the PCI Security Standards Council, said: “Feedback from the council's participating organisations and others made it clear that the assessment process for the PCI standards would benefit greatly from more rigorous guidelines.
“As a result, we created a clear-cut program that will help ensure all those involved in this process are consistent, credible, competent and ethical.”