It is hard to miss the TrustWave seal on a number of Web sites. They display the following statement: “Based upon information provided by [company name] regarding its policies, procedures, and technical systems that store, process and/or transmit cardholder data, [company name] has performed the required procedures to validate compliance with the PCI DSS.”
If you dig down into the seal, the certificate declares the information was verified by SecureTrust.
Now, officially, WebTrust, the Web site assurance service of the American Institute of CPAs mentioned in the headline, isn’t dead yet. It, and the other parts of what are called Trust Services, have been farmed out to the Canadian Institute of Chartered Accountants more than a year ago, farmed out very quietly.
The Canadians had been more successful with these programs, so the institute reasoned they belonged north of the border, according to Jim Metzler, the AICPA’s vice president of small firm interests.
None of this is hot news. But the long slow decline of a program that never lived up to expectations is worth discussing, especially since the AICPA’s own site now displays the TrustWave seal, and not that of its own program. In fact, since the initial inquiries about the Canadian involvement were sent to the AICPA’s press office early in January, the site,
For those who don’t remember WebTrust, it was a child of the dot-com era, created in September 1997. The idea was that CPAs by the hundreds, if not thousands, could make money by annually certifying the Web sites met certain standards of security and confidentiality, among others. Buyers could be assured they could use their credit cards with safety if they did business with a company whose site bore the WebTrust logo.
In 1999, the AICPA followed with SysTrust, via which CPAs were supposedly going to do a booming business assuring that company IT systems were reliable. The way an article in the November 1999 Journal of Accountancy described it: “In a SysTrust engagement, accountants report on the availability, security, integrity and maintainability of a system.” The article also talked about ISPTrust “a new assurance service being developed by the electronic commerce task force that will evaluate Internet service providers.” Frankly, I don’t remember ISPTrust making it out of committee.
None of this ever took off, if for no other reason than because most online purchases were via credit cards and the credit card companies pretty much guaranteed that the buyer wouldn’t lose more than $50 if a problem was reported. There was never a point in which more than 50 companies displayed the WebTrust seal on their Web sites.
But I think the real stumbling block was that these skills were something that a lot of people other than CPAs could perform. Moreover, consumers didn’t think of CPAs in this way and CPAs didn’t think of themselves in this way. It just wasn’t in the genes.
Why did the Canadians have so much better luck? Maybe it was one or two accountants with sales talent. Maybe it was just the way they say “Eh.”
