Reality of PCI compliance starting to hit home……

February 14th, 2007 Drazen Drazic Posted in PCI, PCI DSS |

I’m waiting on some responses from PCI members at present but it has been a few days since I threw a few things out there …….and there’s a few things we’re trying to cover:

1. Why have fines started being imposed by some members of the PCI when it was hoped that the big stick would be put aside for a while as long as organisations could demonstrate a commitment to compliance (through roadmaps etc).
2. Will fines encourage compliance or:
- BS responses (discussed previously in this blog)?
- Organisations willing to pay the fine and stuff the compliance work?
3. How are some QSAs able to complete an onsite Audit in a few days and pass a Tier 1, when others quote a minimum of 3 weeks? (not including re-audits because issues are holding back compliance?) I’ll give ya the tip - I’d bet my house on being able to rip apart a clean Report on Compliance delivered in 3-4 days by some “BIG” guys. (Now which one is the mainframe?
4. Related to the previous question - why is that many QSAs themselves don’t understand what falls into scope and what does not, in relation to PCI DSS compliance? If many QSAs struggle themselves, it amazes that so many SAQs undertaken by merchants themselves come back as “compliant”. How?
5. Is there inconsistent messages being passed down from the Acquiring banks?

There are still so many questions around PCI that need to be addressed, clarified, etc etc. It’s a good thing but it needs some work! Hopefully we’ll get some responses and share here.