Service Provider Errors
In any case, what we really wanted was someone to validate that our security was up to par with Visa and MasterCard's standards. We didn't want to have to research security every day until we got it all right, we just wanted someone to tell us when an issue presented itself. This worked well for a while, then they started making rule changes and upgrading things for PCI but not for this service. That's made things confusing.
Today, however, we have a new issue with them. We have random "vulnerabilities" that don't exist showing up, saying they're on 0 devices but still downgrading our compliance on every single device. The entire live chat we had with them is listed below.
Don: how can I assist you today
You: Hey Don, any idea why we're getting flagged on all of our servers for Backup CGI file Detection with no way to resolve.
You: Hiccup there?
Don: Yes, we are aware of the issue and are working on it at this time. The issue should be resolved soon.
You: Ok, thank you.
As you can tell, they're having "an issue". But that brings up a question of reliability. If a security auditing firm has these types of problems in their internal system, how good are they at actually monitoring and reporting? Well, we'll keep using this service, but it has certainly raised some questions in my mind.
On the plus side, at least they knew about it. It may have been from the person right before us that asked about it, but they weren't totally clueless. I suppose that's something in their favor.