Ethics, consulting, and PCI compliance.

TL;DR: I work for a shady company, not sure how to handle it.

Long version:

I was recently certified as a PCI QSA for a small company and had the curtain pulled back on the way the company does business. I found out a few things about PCI while I was at training. Things I learned in training are in black, blue is what our company does:

A single missed requirement on the PCI DSS means you file an Attestation of Compliance (AOC) with a status of "Non-Compliant". The merchant/service provider then has a window of remediation in which to fix the problem(s) and become compliant.
A single missed requirement on the PCI DSS means that you say the company has it in place and then just add a bunch of fluff to the ROC (Report on Compliance) for that requirement so anybody who sees it would rather skim than actually read it.
Companies are very rarely compliant on a first pass, and AOCs with "Non-compliant" status are submitted regularly to clients.
Companies are always compliant on first pass, and submitting an AOC with "Non-compliant" status is not done to avoid losing that company's business.
Compensating controls are required to go above and beyond the letter of the PCI DSS and should mitigate the risk posed by not having a specific control in place.
A two factor jump server into the cardholder data environment can be a compensating control for anything from missing anti-virus software to no NTP server being set.

We do consulting work for almost all the clients we assess, and our owner is believes (perhaps rightfully so) that if we submit non-compliant AOCs that customers will fire us from not only the assessment but the other work as well. As such, we've never submitted a non-compliant AOC (to my knowledge) and have definitely assessed some companies as PCI compliant that are far, FAR from it. I'm talking blatantly lying on the ROC, fudging the reporting to say a piece of evidence covers something it doesn't, sampling maybe 5 servers and claiming we sampled 30 or more, etc.

My only exposure to PCI is through this company, and the owner assures me that this is how it's done "in the real world" and it's the only way to keep the business going. I disagree, and am not ethically comfortable with working for this company anymore.

The problem is, of course, that I need a paycheck. I need the income this job provides to keep our house, car, family together, etc. I know that after doing assessments for a while I'll be able to say I have experience and move on to a company that does things the right way, but I'm not sure what to do until then. Do I simply nod and say yes sir, and sign my name to attestation forms I do not believe to be accurate? Do I resign? Do I do my best and avoid signing anything that is an obvious and blatant lie? I feel trapped, and am not sure what to do. I have obtained all my certs legitimately and feel very uncomfortable working for a company that would have me compromise my own professional integrity just to save face with customers, but I also need to get paid.

Opinions/stories/advice/etc. from others who have worked in PCI compliance or have experience with PCI is greatly appreciated but I'd like to hear what anybody has to say.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

JoJoCal19

My response would be, a roof over your head and food on your plates is most important, but in actuality the most important thing, is to make sure that you cannot be held criminally responsible, or even personally responsible should one of the companies have a breach and it makes it way back to you putting your name on falsified documents. I have not dived into PCI so I don't know if what I mentioned could happen, but as I work for one of the nations largest financial firms I plan on it next year.

darkerosxx

I know a lot about PCI and my response is to run far far away before you end up in jail. Seek out another job and move when it makes financial sense for you to do so.

IMO, you should also report this because its giving a bad name to real companies who actually are compliant as well as to the standard.

It's a horrible business idea to think people seek you out to help them get compliant, you just say they're compliant, and you're done. Not only does that not make for a good business strategy, you're also losing out on the billable hours helping them fix their actual problems. If they fire the company for not being complicit in fraud and giving them a fake PCI, then good riddance, unless you want to be in the literal business of fraud.

5ekurity

I did some PCI work when I was in consulting, and I agree with darkerosxx - get out of there. Your name and reputation isn't worth being tarnished over what a company mandates is right or wrong. The PCI Council would probably have a field day with them too. I would do what you need to do while actively searching for new employment, and consider reporting this to the council (of course it's easier for all of us to say that when we're not the ones working for the company - do what you feel most comfortable with).

Unfortunately I have a feeling that there are more than a few businesses out there that run this type of game.

LionelTeo

I only understand from CISSP code of ethics would be that ethics is place to be the most important point, with law in second. You had a very good reason to move on to another company. Otherwise if there is a problem and if it escalate, you would probably lose more than just a paycheck. Consider the risk of not being able to work in IT, or any other financial sector again, that would be a much larger blow to your career.

And for missing antivirus software is simply to be asked to get whack by finanical laundering trojan. Their presence is bad enough considering how good the newer versions are always evading antivirus, not having one in place is simply asking for a good beating from criminals using such programs.

Raystafarian

The best thing to do is document, document and document. Do it the way you feel is correct. Document. Keep your copies. Hard copies, electronic copies, multiple copies, multiple locations. Get any changes or requests in writing (if possible) and keep them. If the layer above you changes your conclusion, that's on them, not on you. Feign ignorance, you are still learning.

You keep the documentation not because you're going to use it for anything, but in case anything ever comes back to you. You can show that you stated your opinion and you had documentation to back it up. Anything that happens after that is out of your hands.

This will allow you to keep your ethics intact, keep your family safe and gain experience while looking for another job ASAP.

MSP-IT

I don't think I can say any more that has already been mentioned. You should also be aware that you could be stripped of your certifications if you were to be found out, though at that point it'd be the least of your worries.

GarudaMin

Even though PCI-DSS compliance is non-regulatory obligation, there are components of it that are regulated by law. If you are in Nevada, then the whole PCI-DSS is mandated as a state law. Anyway, the point is if the companies that got certified by your company as compliant found themselves breached or found that it was a false claim, then they will come after your company via law or via contract. And guess what your company will do? They will point their fingers at you, after all it's you who signed the report.

I agree with Raystafarian in that you submit what you believe is true to your upper layer, if they want to falsify it, it's on them. Get that in writing and keep those documents. That will give you an out when they come after your company. Meanwhile, look for another job aggressively.

consultant_throwaway

Thanks for the advice, everyone. I'm glad there is consensus here.

I had a discussion with the owner about my reservations and he has made it clear that while he will never ask me to falsify information or put my name on a document that contains lies--essentially he will let me run assessments the way I think they should be run--that if a customer has a deadline to become compliant, and I miss that deadline, that we will part ways.

That being said, I will spend the next few months doing my best to perform assessments in the way I feel they need/deserve to be done and only signing my name to documents that I am comfortable signing, while looking for a new job.

GoodBishop

Send me a email with some of your questions. I am a ISA and have done PCI for a while, so I can comment on this stuff.

A single missed requirement on the PCI DSS means you file an Attestation of Compliance (AOC) with a status of "Non-Compliant". The merchant/service provider then has a window of remediation in which to fix the problem(s) and become compliant. <-- this is true. Say they didn't have firewalls. Bingo - AoC = non-compliant.
A single missed requirement on the PCI DSS means that you say the company has it in place and then just add a bunch of fluff to the ROC (Report on Compliance) for that requirement so anybody who sees it would rather skim than actually read it. <-- this is B.S., and ethically, if a company did this, they are living on the edge because they could be hosed from multiple areas.
Companies are very rarely compliant on a first pass, and AOCs with "Non-compliant" status are submitted regularly to clients. <-- Depends.
Companies are always compliant on first pass, and submitting an AOC with "Non-compliant" status is not done to avoid losing that company's business. <-- Think of it this way. If the company is smart, they would have hired a QSA or consulting company to prep them for the PCI audit to make sure they will pass. Even during the audit, if they find something (like http was on instead of https), the company can still remediate it right there - keep in mind this is the first audit. Second audits and later are much tougher. And if it is truly not in place, like FIM, then you're hosed. Non-compliant AoC.
Compensating controls are required to go above and beyond the letter of the PCI DSS and should mitigate the risk posed by not having a specific control in place. <-- this is true
A two factor jump server into the cardholder data environment can be a compensating control for anything from missing anti-virus software to no NTP server being set. <-- no, it can't. you have to look at the original requirement, and see what controls actually compensate for it. Two factor jump server does not compensate for lack of NTP.

GoodBishop

And yes, I agree with the other folks on getting out of there. Glad to see that you're looking.