May 17, 2010, 11:53 AM — WHAT IS PCI? The Payment Card Industry Data Security Standards "are the floor, not the ceiling" for data secruity, says Martin McKeay, a qualified security assessor (QSA) and author of the Network Security Blog.
COMPLIANCE IS ONLY PHASE ONE. McKeay says some merchants only do the minimum to comply with PCI and thinks QSAs need to teach businesses that these standards are only a baseline. "There are those who see it as a pain."
ASSESSMENTS CAN BE SUBJECTIVE. McKeay emphasizes that PCI assessments aren't clear-cut audits because many standards are open to interpretation. That makes it doubly important that you establish a good relationship and clear lines of communication with your QSA.
NARROW THE SCOPE, IF POSSIBLE. You are required to assess everynetwork and system that comes in contact with credit card data. You can save yourself headaches by segmenting your network to keep that number to a bare minimum.
ALLOW SUFFICIENT TIME FOR AUDITS. If you don't allow time for the for the QSA to review your documentation, as well as for you to remedy any problems, you could put yourself in the position of begging your bank for an extension.
Read more about security in CIO's Security Drilldown.