Ethics, consulting, and PCI compliance.

TL;DR: I work for a shady company, not sure how to handle it.
Long version:
I was recently certified as a PCI QSA for a small company and had the curtain pulled back on the way the company does business. I found out a few things about PCI while I was at training. Things I learned in training are in black, blue is what our company does:
My only exposure to PCI is through this company, and the owner assures me that this is how it's done "in the real world" and it's the only way to keep the business going. I disagree, and am not ethically comfortable with working for this company anymore.
The problem is, of course, that I need a paycheck. I need the income this job provides to keep our house, car, family together, etc. I know that after doing assessments for a while I'll be able to say I have experience and move on to a company that does things the right way, but I'm not sure what to do until then. Do I simply nod and say yes sir, and sign my name to attestation forms I do not believe to be accurate? Do I resign? Do I do my best and avoid signing anything that is an obvious and blatant lie? I feel trapped, and am not sure what to do. I have obtained all my certs legitimately and feel very uncomfortable working for a company that would have me compromise my own professional integrity just to save face with customers, but I also need to get paid.
Opinions/stories/advice/etc. from others who have worked in PCI compliance or have experience with PCI is greatly appreciated but I'd like to hear what anybody has to say.
Long version:
I was recently certified as a PCI QSA for a small company and had the curtain pulled back on the way the company does business. I found out a few things about PCI while I was at training. Things I learned in training are in black, blue is what our company does:
- A single missed requirement on the PCI DSS means you file an Attestation of Compliance (AOC) with a status of "Non-Compliant". The merchant/service provider then has a window of remediation in which to fix the problem(s) and become compliant.
- A single missed requirement on the PCI DSS means that you say the company has it in place and then just add a bunch of fluff to the ROC (Report on Compliance) for that requirement so anybody who sees it would rather skim than actually read it.
- Companies are very rarely compliant on a first pass, and AOCs with "Non-compliant" status are submitted regularly to clients.
- Companies are always compliant on first pass, and submitting an AOC with "Non-compliant" status is not done to avoid losing that company's business.
- Compensating controls are required to go above and beyond the letter of the PCI DSS and should mitigate the risk posed by not having a specific control in place.
- A two factor jump server into the cardholder data environment can be a compensating control for anything from missing anti-virus software to no NTP server being set.
My only exposure to PCI is through this company, and the owner assures me that this is how it's done "in the real world" and it's the only way to keep the business going. I disagree, and am not ethically comfortable with working for this company anymore.
The problem is, of course, that I need a paycheck. I need the income this job provides to keep our house, car, family together, etc. I know that after doing assessments for a while I'll be able to say I have experience and move on to a company that does things the right way, but I'm not sure what to do until then. Do I simply nod and say yes sir, and sign my name to attestation forms I do not believe to be accurate? Do I resign? Do I do my best and avoid signing anything that is an obvious and blatant lie? I feel trapped, and am not sure what to do. I have obtained all my certs legitimately and feel very uncomfortable working for a company that would have me compromise my own professional integrity just to save face with customers, but I also need to get paid.
Opinions/stories/advice/etc. from others who have worked in PCI compliance or have experience with PCI is greatly appreciated but I'd like to hear what anybody has to say.
Comments
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
IMO, you should also report this because its giving a bad name to real companies who actually are compliant as well as to the standard.
It's a horrible business idea to think people seek you out to help them get compliant, you just say they're compliant, and you're done. Not only does that not make for a good business strategy, you're also losing out on the billable hours helping them fix their actual problems. If they fire the company for not being complicit in fraud and giving them a fake PCI, then good riddance, unless you want to be in the literal business of fraud.
Unfortunately I have a feeling that there are more than a few businesses out there that run this type of game.
And for missing antivirus software is simply to be asked to get whack by finanical laundering trojan. Their presence is bad enough considering how good the newer versions are always evading antivirus, not having one in place is simply asking for a good beating from criminals using such programs.
You keep the documentation not because you're going to use it for anything, but in case anything ever comes back to you. You can show that you stated your opinion and you had documentation to back it up. Anything that happens after that is out of your hands.
This will allow you to keep your ethics intact, keep your family safe and gain experience while looking for another job ASAP.
I agree with Raystafarian in that you submit what you believe is true to your upper layer, if they want to falsify it, it's on them. Get that in writing and keep those documents. That will give you an out when they come after your company. Meanwhile, look for another job aggressively.
I had a discussion with the owner about my reservations and he has made it clear that while he will never ask me to falsify information or put my name on a document that contains lies--essentially he will let me run assessments the way I think they should be run--that if a customer has a deadline to become compliant, and I miss that deadline, that we will part ways.
That being said, I will spend the next few months doing my best to perform assessments in the way I feel they need/deserve to be done and only signing my name to documents that I am comfortable signing, while looking for a new job.
A single missed requirement on the PCI DSS means you file an Attestation of Compliance (AOC) with a status of "Non-Compliant". The merchant/service provider then has a window of remediation in which to fix the problem(s) and become compliant. <-- this is true. Say they didn't have firewalls. Bingo - AoC = non-compliant.
A single missed requirement on the PCI DSS means that you say the company has it in place and then just add a bunch of fluff to the ROC (Report on Compliance) for that requirement so anybody who sees it would rather skim than actually read it. <-- this is B.S., and ethically, if a company did this, they are living on the edge because they could be hosed from multiple areas.
Companies are very rarely compliant on a first pass, and AOCs with "Non-compliant" status are submitted regularly to clients. <-- Depends.
Companies are always compliant on first pass, and submitting an AOC with "Non-compliant" status is not done to avoid losing that company's business. <-- Think of it this way. If the company is smart, they would have hired a QSA or consulting company to prep them for the PCI audit to make sure they will pass. Even during the audit, if they find something (like http was on instead of https), the company can still remediate it right there - keep in mind this is the first audit. Second audits and later are much tougher. And if it is truly not in place, like FIM, then you're hosed. Non-compliant AoC.
Compensating controls are required to go above and beyond the letter of the PCI DSS and should mitigate the risk posed by not having a specific control in place. <-- this is true
A two factor jump server into the cardholder data environment can be a compensating control for anything from missing anti-virus software to no NTP server being set. <-- no, it can't. you have to look at the original requirement, and see what controls actually compensate for it. Two factor jump server does not compensate for lack of NTP.