pushback against the external auditor (if they can do it, so can you!)
Lynn in comments points to news that Mastercard has eased up on the PCI (association for credit card issuers) standard for merchant auditing:
But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.
(Level 1 merchants are above 6 million transactions per year, with 352 merchants bringing in around 50% of all transactions in the USA. Level 2 merchants are from 1 to 6 million, 895 merchants and 13% of all merchants.)
Now, this rule would have cost your merchant hard money:
That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services.
These Qualified Security Assessors (QSA) are certified by the PCI Security Standards Council for an on-site assessment, or audit. Because of kickback, complaints, etc, MasterCard backed down:
This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation.
That's you, that is. Or close enough that it hurts. Your company, being a retail merchant bringing in say 100 million dollars a year over 1 million transactions, can now save itself some $100,000 to $1 million. You can do it with your own staff as long as they go on some courses.
If a merchant with millions to billions of direct value on the line, and measurable losses of say 1% of that (handwave and duck) can choose to self-audit, why can't you?
Posted by iang at December 29, 2009 11:09 AM
"At this time PCI SSC does not offer QSA certifications to individuals who do not work for validated QSA Companies. "
This regime of compliance imposed on the free market is another attempt to herd unwilling consumer/merchant groups into a monopoly. It does beg the question with the ever changing regime of network configurations ie WiFi and non-primary carrier based networks "What further complications will be required to contain the herd?", perhaps a better mouse trap or cattle prod. As it stands now the total lack of risk to the payment processor and the usurious fee structure are compounded by the security regime that is yet another array of sub-monopolies. Audits be dammed the regime is frot with assumptions that presume an unchallenged future.
Revolution Money (acquired by American Express) is a sign of the future by removing the interchange fee they where able to achieve acceptance by merchants and customers. The erosion of the monoliths has begun in earnest and no surer sign of this erosion can be found then the attempt to avert risk from the usurious monolith via Audit Standards that are not available, thus rendering their monopoly moot.
The challenged monopoly renders the security suggestions, mandates, audit regimes, and professional certifications worthless, in that the simple culling of the fee structure causes it's collapse. The now questionable monopoly is fractured and its assumptions on profit are called into question. The simple answer is with no actual risk being attributed to the payment processor why should they garner unusual fees and mandate unusual requirements. The merchant/customer herd is pragmatically judging the fee structure versus the service and the risk attributed to the parties involved and the processing regimes are coming up short.
The security regime being a sub-domain of the payment processing regime is only reinforcing via fear and unattainable standards another meaningless wall around a fortress under siege, which will prompt the barbarians consumers and merchants to go around and find a more cost effective road.