Executive Insight: QSAs – Conflict of Interest?

In last month’s article, we discussed that your Merchant Services Provider (MSP) is responsible for informing and assisting you with your payment processing security. Because MSPs often don’t have the expertise in payment security, many will refer you to a Qualified Security Assessor (QSA), causing you to have to pay for the expertise that should already be included in the fees you pay your MSP for card processing.
The purpose of this month’s article is to point out some issues that may arise if you depend exclusively on a QSA to define and solve your payment security woes. Some years ago — even before the requirements of the Payment Card Industry Data Security Standards (PCI-DSS) — the card associations began to certify security professionals to provide auditing and scanning services to merchants. This way, merchants could assure their merchant banks that they were protecting cardholder data as required by various card association regulations.

The initial intent was that the QSAs and Authorized Scanning Vendors (ASVs) would be like CPAs and could certify that merchants were in fact compliant with the cardholder security regulations.

A few years back, CPAs discovered that they could increase their revenue by selling accounting software and providing consulting services. The ENRON failure proved that this was not a good idea and that it caused a conflict of interest.

The reason I bring this up is that some of today’s QSAs are following suit. They no longer just scan or audit. They also sell hardware, software, and networking services. Using the CPA analogy, this would be a conflict of interest.

Before signing an agreement with any QSA, I suggest that you make sure that all they sell is the service of auditing or that all an ASV sells is scanning services. If not, any information or opinions they give you may be slanted toward the sale of their software solutions, equipment, or additional services. They may “discover” problems and issues that they just happen to have a solution for…at a hefty price, of course.

Shift4 provides functionality like TrueTokenization and our patented 4Go and i4Go technologies, which vastly decrease the woes of PCI compliance. Many QSAs view the simplifying of PCI as taking money out of their pockets, so they may make negative or disparaging comments about these types of technologies. If you hear those types of comments from a QSA, run, don’t walk, away from them. (Or get us on the phone with them!)

If Shift4’s security technologies are implemented at your location along with DOLLARS ON THE NET®, your PCI costs should be significantly reduced. In some cases it can be reduced by as much as 98%.

Follow this space in future newsletters to learn how you can leverage our powerful security technologies to significantly reduce your PCI exposure and lower your annual cardholder security costs. As always, Shift4 supplies its security technologies to you at no additional cost.

Dave Oder
Shift4 Founder & CEO