Payment card industry (PCI) assessors must be regulated if the system is to work, according to a panel of industry experts.

Bob Walder, chief scientist at NSS Labs, claimed that the PCI Data Security Standard (PDF) which sets out PCI compliance, could be ambiguous in certain areas, and that compliance assessors need to be well trained.

"These are the guys who charge quite a lot of money to look at a company's infrastructure and determine whether or not it is compliant with the DSS," he said during a panel discussion at NetEvents in Malta.

Walder warned that the wide range of choices meant that it could be "lucky" when a company uses an assessor who has a deep knowledge of network security and how it applies to PCI.

"If you are unlucky, the assessor is going to be doing little more than going through a checklist and saying 'OK you don't have a firewall, but I don't really have any further advice for you there' or 'You have this particular firewall but I'm not familiar with it, so I still can't tell you whether you're compliant or not,'" he said.

Alex Raistrick, director for Northern Europe at ConSentry Networks, believes that one way round the problem is to vet assessors to ensure that they are up to the job.

"If there is going to be a standard for PCI products, there needs to be a standard for assessors to show that the assessor is known to be successful and will get you compliant," he said.

Neil Hartsell, vice president of product marketing at Tipping Point, highlighted one of the problems that assessors face.

DSS tells companies what information they need to encrypt and that they need firewalls and antivirus, but it stops short of naming compliant products.

"It cannot go so far as to say 'This is the model of the product from vendor A that meets all those criteria' so there has to be some agency which makes that clear," Hartsell said.

"If you do not solve this problem, the assessor will never be anything more than a consultant."