“Lions and tigers and Bears…. OH MY!”
Dorothy – WIzard of Oz
Over the last few weeks me and the guys at Razor Thorn HQ have been doing some checks on behalf of a number of our clients, looking for PCI DSS complaint service providers in a number of different sectors.
I have to say I am both disappointed and annoyed at the results….
We contacted a mix of about 20 different service providers, ecommerce, call centres and a few other areas. Of the twenty service providers only two actually had the Attestation of Compliance (AoC) ready to show us. The rest all tried to talk their way round the subject or never got back in touch with us.
In short a vast majority were seemingly lying about their accreditation.
They were willing to say they had it to get new business, but obviously actually doing PCI DSS properly was not a priority. Some of those called that were unable to provide adequate evidence of their compliance actively advertised on their websites of their compliance with PCI DSS!
Additional to that I was speaking with a business contact of mine at one of the few web hosting providers that is PCI DSS compliant and he was telling me that he had seen a dramatic increase in the number of vendors using PCI DSS as a means to sell their products, with inaccurate statements such as:
“It removes the need for PCI DSS”
“It complies with PCI DSS”
Let me just set the record straight here as a QSA and on behalf of all good QSA’s – no one product can take away the need for PCI compliance or answer all the PCI requirements…. Yes there are certain products that make your compliance easier; in fact some products are excellent in this aspect, but they cannot remove the requirements for PCI DSS completely, you still have to undertake the rest of the PCI DSS requirements for instance requirement 12 has many items that are process and business related and thus cannot be solved by software alone…..
With regards to service providers, always request PROOF that they are compliant. If they claim to be compliant to a level 1 service provider ask for their Attestation of Compliance (AoC) if they cannot provide it then they are not compliant. If a company is a service provider to you, then YOU cannot become compliant until THEY are compliant (or you drop them and use a company that can prove compliance).
So to conclude; don’t believe the sales material hype and do not accept that a company is a PCI compliant service provider until they can prove it!