Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

A tale of two PCI security audits

Robert Duran of Time and Allan Kintigh of National Card Services share their PCI auditing experiences. Why one's experience was unpleasant and the other fared better.
Page:

Ask security professionals what the most painful part of PCI security compliance is and most will start grousing about the auditors.

Some will describe the auditor who came in and started faulting their controls without first taking time to understand the specific business dynamics the controls were designed to address. Others will lament that their auditor required them to buy an expensive new appliance from a specific vendor to attain a passing compliance grade.

Robert Duran and Allan Kintigh have endured the auditing process, but one man's experience was more unpleasant than the other's. Nevertheless, each has come away from it with a solid security program.

Duran is information security and privacy officer at Time, the New York-based media giant of 10,000-plus employees. Under PCI DSS, Time is a level 1 company, which means it processes more than six million credit card transactions a year and is subject to an annual on-site audit and quarterly network scans performed by an approved vendor. [Level 2 and 3 companies process 20,000 to 6 million credit card transactions a year and must fill out an annual self-assessment questionnaire and have an approved vendor do quarterly network scans.]

His experience is that the auditors often don't know what they're talking about.

Kintigh is a software engineer with National Bankcard Services, a payment card transaction processor with fewer than 20 employees. Though tiny compared to Time, the company is still level one because it too processes more than six million credit card transactions a year.

His experience is that the auditors are fair and genuinely helpful.

Don't believe what they say

During a panel discussion on PCI security CSO (US) held in New York last month, Duran suggested merchants learn as much as they can about the standard so they'll know when an auditor is sending them in the wrong direction.

"You need to understand PCI yourselves, because the auditors will tell you things that you may not like and probably shouldn't believe," he said. "The more you understand, the more you can challenge them."

Duran's department has to deal with two auditors - one in the U.S. and one in Europe. They often give different answers to the same questions because they are looking at it from different perspectives. He has also come across people who lack the proper understanding of such technical matters as firewall and VLAN configuration.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: pci standard
Latest Blog Posts
Whitepapers
  • Oracle SOA Suite – Oracle BPEL Process Manager
    Changing markets, increasing competitive pressures and evolving customer needs are placing greater pressure on IT to deliver greater flexibility and speed. In response to these challenges, leading companies are adopting Service-Oriented Architecture (SOA) as a means of delivering on these requirements by overcoming the complexity of their application and IT environments. Read on.
    Learn more »
  • Optimizing Data Quality in the Enterprise - How to Tackle Your Bad Information
    Data quality – the measure of data accuracy, completeness, and consistency across a business – has become the core focus of information management efforts among many of today’s organizations. Problems with data quality continue to plague corporations of all types and sizes. In this paper, we will discuss some techniques companies can implement to enhance data quality across the entire enterprise. We will also highlight data quality management solutions, which provide businesses with the ability to effectively and economically enhance the correctness, completeness, and consistency of information in each and every system within their technology infrastructure.
    Learn more »
  • Webcast: Innovation Driving UC Everywhere: From Mobile to the Cloud and Beyond
    Polycom announced it is acquiring HP's Visual Collaboration Business Unit, including HP's Halo products and Managed Services, and the two companies have entered into a deep strategic agreement through which Polycom will become HP's exclusive partner for telepresence and video UC solutions. This will create an end-to-end UC solution that will deliver to our joint customers an unparalleled user experience, interoperability, investment protection, and ease of deployment. Watch this webcast.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.