Having been directly focused on data security for over 8 years and given my current global engineering role at Imperva Inc, I routinely lead best practice IT governance discussions with partners and prospective customers.  Quite often these discussions cover PCI DSS (Payment Card Industry Data Security Standard). One question in particular has become increasingly common in these discussions which asks about the practice of PCI DSS QSAs (Qualified Security Assessors) and their willingness to both audit for PCI DSS and also sell their own solutions for PCI compliance failure remediation.

Consider the following scenario:

XYZCorp requires PCI compliance so they contract a QSA to perform an assessment and provide results, and possible remediation strategies for violations.  The QSA identifies violations in Web security for PCI code 6.6. The QSA recommends their own product, in this case a web application firewall, to correct the violation and the customer purchases the product.  

•     In this scenario, is the QSA in the assessment business or a product/consulting business?  
•     Which business is the priority in terms of sales?  And, if the non-audit has priority does driving product and consulting sales compromise the integrity of the assessment?
•     Is the QSA willing to fail a customer who purchased the product or non-audit services from them if the product is failing to provide compliance due to bugs, lack of effective deployment, etc?
•     Is there a chance that the QSA will overlook a particular requirement by simply knowing their product or services were purchased for remediation previously?

My opinion is that there could be a conflict of interest and that in some cases not only product, but also consulting services may drive the business of the QSA more than the assessment projects.  As you can see below this problem has been addressed by other governance regulations, but has yet to receive attention from PCI.

Before SOX, auditing firms were self-regulated. They also performed significant non-audit or consulting work for the companies that they audited. Many of these consulting agreements were far more lucrative than the auditing engagements. In these cases, challenging a company's accounting approach might damage a consulting client relationship, conceivably placing a significant consulting arrangement at risk, damaging the auditing firm's bottom line.

Consulting and non-audit work was bringing in the “big bucks”, while auditing was bringing in small change. Therefore, this caused a conflict of interest or lack of independence.

Today, your SOX auditor can’t provide SOX consulting services because of independence (so the person that defines the controls can’t audit them), so if you need SOX consulting services you need to contract a different firm.  

Sarbanes-Oxley explicitly recognizes the importance of separation of duty.  It's time for the PCI DSS to do the same and recognize that without audit independence, PCI audit integrity provided by Consultant+Product+QSA organizations is questionable, at best.