I've worked with about eight or nine. Two of them are jaw drops in horror. A bunch are "err, what?", but get the job done vaguely competently if in a very procedural fashion. Quite often it's totally nontechnical people with backgrounds in finance/filing who do the assessment. Finally, there are two outfits we've worked with that we liked - one well enough to come audit us.
Oh, also, the big automated platforms like SM and TW are pretty poor.
The way it's set up right now, if you're lucky enough to be deemed a QSA by the PCI council, congratulations, you are now legally welcome to blackmail and extort. Zilch oversight, it's the Wild West, and snake oil salesmen abound.
We had a very good experience with the folks at Security Metrics in Utah. Very reasonable people. And. We had some compensating controls and non standard things to be done. They were very much willing to work with us instead of against us.
I had a mixed experience with them - their automated scanner can be painful with misdetection, but their support usually makes up for it, even if they're slow to respond. I've not used them for anything other than the quarterly scans.
Hi Tom, very biased here, but I interned at MWR InfoSecurity and the team there seemed to be consistently very high quality (like finding 0-days in Chrome, Windows Kernel, etc) - would definitely recommend looking at them.
The OP reported the auditor with the appropriate authorities and hopefully they'll revoke their certification.
Alternatively, I'd report the auditor to the police for attempting to acquire personal user data, a clear violation of data protection acts and user privacy.
Indeed, truth is not always an absolute defence in the UK. Also the law varies depending in which jurisdiction you are in in the UK; e.g. England & Wales vs Scotland vs Northern Ireland.
Oh, also, the big automated platforms like SM and TW are pretty poor.
The way it's set up right now, if you're lucky enough to be deemed a QSA by the PCI council, congratulations, you are now legally welcome to blackmail and extort. Zilch oversight, it's the Wild West, and snake oil salesmen abound.