A tale of two PCI security audits

Robert Duran of Time and Allan Kintigh of National Card Services share their PCI auditing experiences. Why one's experience was unpleasant and the other fared better.

Bill Brenner (CSO Online)
06 November, 2008 09:35
Comments

Page:

1
2
3
next >

Ask security professionals what the most painful part of PCI security compliance is and most will start grousing about the auditors.

Some will describe the auditor who came in and started faulting their controls without first taking time to understand the specific business dynamics the controls were designed to address. Others will lament that their auditor required them to buy an expensive new appliance from a specific vendor to attain a passing compliance grade.

Robert Duran and Allan Kintigh have endured the auditing process, but one man's experience was more unpleasant than the other's. Nevertheless, each has come away from it with a solid security program.

Duran is information security and privacy officer at Time, the New York-based media giant of 10,000-plus employees. Under PCI DSS, Time is a level 1 company, which means it processes more than six million credit card transactions a year and is subject to an annual on-site audit and quarterly network scans performed by an approved vendor. [Level 2 and 3 companies process 20,000 to 6 million credit card transactions a year and must fill out an annual self-assessment questionnaire and have an approved vendor do quarterly network scans.]

His experience is that the auditors often don't know what they're talking about.

Kintigh is a software engineer with National Bankcard Services, a payment card transaction processor with fewer than 20 employees. Though tiny compared to Time, the company is still level one because it too processes more than six million credit card transactions a year.

His experience is that the auditors are fair and genuinely helpful.

Don't believe what they say

During a panel discussion on PCI security CSO (US) held in New York last month, Duran suggested merchants learn as much as they can about the standard so they'll know when an auditor is sending them in the wrong direction.

"You need to understand PCI yourselves, because the auditors will tell you things that you may not like and probably shouldn't believe," he said. "The more you understand, the more you can challenge them."

Duran's department has to deal with two auditors - one in the U.S. and one in Europe. They often give different answers to the same questions because they are looking at it from different perspectives. He has also come across people who lack the proper understanding of such technical matters as firewall and VLAN configuration.

Page:

1
2
3
next >

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email CIO
Follow CIO on twitter

References show all

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Coverage

Related Whitepapers

Latest Stories

Community Comments

"Isn't it surprising that Google, with all the resources it has at ..."

Apple and Google disagree over licensing of essential patents
"As are ours."

Monash Uni reduces IT teams after consolidation project
"QR code is a great invention people made. I'm making mobile apps ..."

FTC warns makers of background checking apps
"It hasn't cost the government, its cost the people -'The bungle has ..."

QLD govt demands answers after pay glitch
"Our thoughts are with the Monash staff."

Monash Uni reduces IT teams after consolidation project

Tags: pci standard

Latest Blog Posts

Whitepapers

Security Threat Report 2012
This threat report shares the latest research on hacktivism, online threats, mobile malware, cloud computing, and social network security looking ahead to the coming year.

Learn more »
Datacenter Efficiency with Oracle x86 Blade System Solutions
In today's competitive environment, IT organizations are under constant pressure to adapt IT resources and to improve levels of service in order to keep pace with the demands of the business. Yet, IDC finds many IT organizations burdened with an overly complex infrastructure that is driving up operating expenses and taxing IT staffing resources.

Learn more »
Managing Trust - Data protection and compliance for financial services
If it’s becoming something of a cliché that the financial services industry is one of the world’s most heavily regulated, that’s largely because it’s true. Data retention and archiving, authentication and authorisation, data loss prevention and privacy regulations compete with demands for transparency and accountability, while market imperatives calling for multiple service channels delivered over a broad spread of technologies add to the pressure. Read on.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

The State of Data Security

Recognize how your data can become vulnerable, including the latest issues stemming from unprotected data on mobile devices and social media sites. Understand the compliance issues involved, and identify data ...

Recent comments

"Isn't it surprising that Google, with all the resources it has at ..."
Apple and Google disagree over licensing of essential patents
"As are ours."
Monash Uni reduces IT teams after consolidation project
"QR code is a great invention people made. I'm making mobile apps ..."
FTC warns makers of background checking apps
"It hasn't cost the government, its cost the people -'The bungle has ..."
QLD govt demands answers after pay glitch
"Our thoughts are with the Monash staff."
Monash Uni reduces IT teams after consolidation project

HP and IDG news, product videos and resources

Follow CIO

Market Place

Improving Storage Efficiencies with Data Deduplication and Compression - Download free resource

How does Gartner rank ALM providers? Download the analysis report

Application Lifecycle Management Zone - Whitepapers | Videos | Events | e-books | Case Studies and more. Visit the Zone

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

A tale of two PCI security audits

Don't believe what they say

Comments

Post new comment

The hierarchy of wisdom

ERP reload

Tourism sector bites the bullet

iPad 3 rumour rollup for the week of February 7

Internode, iiNet improve results in customer satisfaction survey

How to create a clear project plan

Preview: Prada Phone by LG 3.0

5 open source help desk apps to watch

Monash Uni reduces IT teams after consolidation project

iPad initiative for pupils in WA

QLD govt demands answers after pay glitch

FTC warns makers of background checking apps

Apple and Google disagree over licensing of essential patents

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

The State of Data Security

Top Ten Considerations when Deploying IT Operations Management in the Cloud

Unified Storage Strategy guide

2011 Pathways Advanced ICT Leadership Development Program

Enabling Agile and Intelligent Businesses