Posted by:
admin
14 years, 11 months ago
If you are a PCI QSA or a PCI merchant or processor, you might enjoy this article about the relationship between the QSA and the client. The entire PCI eco-system is quite fascinating. There's definitely potential for an agency issue in that QSAs are paid by their clients to enforce the PCI Counsel's regulations.
This situation is reminiscent of the real estate appraisal market. Appraisers are independently certified and registered with the state. Their fees are paid at closing by the buyer, though they work for the bank. The key is that they are chosen by the real estate agent. And if the appraiser kills a deal because his valuation is too low, they don't get any more deals.
The PCI Council could take steps to minimize or offset the agency issue. For example, they could forbid the use of the same QSA more than one year in a row. Enforcing a short-term view might help with that problem, but it might not stop merchants from choosing "easy graders".
If I were a behavioural economist, I would be very interested in the PCI market. One reason is that you should be able to measure improvements over time based on breach data. In the real estate market that would be a lot harder because the pressure to have appraised values meet the purchase price affects the market itself. You would have to statistically analyze sale prices prior to the closing date for a specific property and know the appraised value, which is not readily available.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)