I just caught up with this post (which I had squirrelled away to read later with my Google Bookmarks toolbar and just rediscovered). Some nice work here by Bob Tarzey in summing up the main requirements of PCIDSS, the advantages of getting ready and the basic implications of breach. PCI might be the kick that some firms need to re-assess security: the regularity of the audits might just make the difference. It's easy to put off spending money to counter a threat with an Annual Rate of Occurence (ARO) calculated as 0.1 (i.e. every 10 years) - human nature and available time dictate that the auditor landing on your desk every quarter wins hands down.
Check out too the comments on this post, also on silicon.com. The griping about variable approaches from the assessors is to be expected with any new standard, I think this will settle down in time. On the particular issue about voice recordings of CCV2 numbers, I would hope encryption and strong access control over the voice recordings would suffice but would welcome clarification from the PCI on this or any views from QSAs reading this.
In any case, as I have blogged before, don't make compliance with the standard your goal, make good security your goal and you will achieve compliance as a direct consequence. Or as Papa_K puts it rather nicely on that comment thread: "If you prepare for compliance audits like you prepare for a punch in the stomach to prove your abs are strong then you'll not be prepared for the sucker punch."
Posts
No comments:
Post a Comment