« Musings on why security is everyone’s job | Main | Government Plans Top Secret HSPD-23 Program for Enhancing Information Assurance »

November 18, 2008

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341e76b553ef010535f9e10d970b

Listed below are links to weblogs that reference Did the PCI Security Standards Council finally admit a problem?:

Comments

Bryan Johnson

Randall - agreed. Individual interpretations from from QSA to QSA has been a challenge for merchants. It's good to see the Council move in this direction.

Bryan Johnson

Randall - agreed. Individual interpretations from QSA to QSA has proved challenging for merchants and service providers. This is a welcome change.

Kim Singletary, Solidcore

Any 4-party model is complex, this one includes Payment Networks, Payment Card Industry Security Standards Council, QSAs and Retailers. Retailers purchase QSA services engaging in audits of PCI compliance. Some are being influenced to interpret the standards with less rigor for repeat business with the client and others are influenced to place technology when they gain from referral fees or internal technology sales incentives.

One community initiative of 'remaining current with industry trends' is losing ground with this current framework. Until more emphasis is placed on security and meeting the intent of the PCI-DSS requirements emerging technologies will continue to be woefully under utilized. This is a shame since many QSAs feel they cannot approve these technologies because they want to keep under the radar and will even approve a less effective common solution to limit exposure of their report from the potential scrutiny by the payment network board.

If the quality measurements were public about both Retailer satisfaction of their QSA engagements and PCI SSC quality assurance ratings then that would be a healthy change. QSAs could then focus on what's best for securing and protecting the payment card transactional network and allow the market to grow because of the quality of work accomplished and not just because they were able to perform the most amount of audits.


The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected


Blog powered by Typepad