A few days ago, Rich Mogull at Securosis raised the issue, should PCI assessment firms sell the products needed to remediate the gaps their assessors find? Rich posed this question in light of Trustwave’s acquisition of yet another company, Breach, that sells products that are used to meet PCI regulatory requirements.

Rich, of course, was very diplomatic, but considering the level of ambiguity in the PCI regulations, the temptation for collusion between assessors and consultants who implement PCI controls cannot be ignored.

Rich is careful to point out that Trustwave is not doing anything unlawful or even unethical since the PCI Council “shows no interest in controlling conflicts of interest…”

Just as the big accounting firms were forced divest their consulting arms, companies should not be able to perform PCI assessments and provide remediation products and services. Let me point out that not all assessors do remediation. And let me also point out that Cymbel is not an assessor and provides products and services which are used to meet PCI regulations.