A tale of two PCI security audits
Ask security professionals what the most painful part of PCI security compliance is and most will start grousing about the auditors.
Some will describe the auditor who came in and started faulting their controls without first taking time to understand the specific business dynamics the controls were designed to address. Others will lament that their auditor required them to buy an expensive new appliance from a specific vendor to attain a passing compliance grade.
Robert Duran and Allan Kintigh have endured the auditing process, but one man's experience was more unpleasant than the other's. Nevertheless, each has come away from it with a solid security program.
Duran is information security and privacy officer at Time Inc., the New York-based media giant of 10,000-plus employees. Under PCI DSS, Time is a level 1 company, which means it processes more than six million credit card transactions a year and is subject to an annual on-site audit and quarterly network scans performed by an approved vendor. [Level 2 and 3 companies process 20,000 to 6 million credit card transactions a year and must fill out an annual self-assessment questionnaire and have an approved vendor do quarterly network scans.]
His experience is that the auditors often don't know what they're talking about.
Kintigh is a software engineer with Minnesota-based National Bankcard Services, a payment card transaction processor with fewer than 20 employees. Though tiny compared to Time Inc., the company is still level one because it too processes more than six million credit card transactions a year.
His experience is that the auditors are fair and genuinely helpful.
Don't believe what they say
During a panel discussion on PCI security CSOonline held in New York last month, Duran suggested merchants learn as much as they can about the standard so they'll know when an auditor is sending them in the wrong direction.
"You need to understand PCI yourselves, because the auditors will tell you things that you may not like and probably shouldn't believe," he said. "The more you understand, the more you can challenge them."
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
PCI compliance
Powered by TwitterOn Twitter now
PCI compliance
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
