Choose your PCI Auditors Carefully…….

August 24th, 2007 Drazen Drazic Posted in Bad Stuff, PCI, PCI DSS |

I wrote a little while ago about seeing the results of some “Big” guy’s PCI Audits at clients, only to be called out in another PCI site that “Big” guys don’t do PCI audits. Most don’t……anymore and it was nice to get some follow-up responses on the site supporting facts.

Lets not pick on these guys directly though remnants of their work still remain. We know….we see it! Aside: How some of these guys ever signed off on some audits, giving clients a compliance pass, makes it clear why many are no longer in the game. Negligence and dangerous to clients.

If you’re a merchant or service provider, let me explain something called “Safe Harbour”.

A Report on Compliance that gives you all the ticks means jack should you be compromised and then found non-compliant by an independent review undertaken by an authorised party engaged by the PCI dudes post your compromise. Yep…..you’ll be deep in it potentially even though that PCI Auditor told you all was well!

So, was it worth going with the guys that quoted 4 days for the PCI Onsite Audit when another company quoted 4 weeks?! Did that difference not ring alarm bells? Did you not ask questions? Did you really think that the ticks in the boxes discharged your responsibilities? Did you know what “safe harbour” meant?

Companies need to get smarter and realise the risks that they face by not spending some time to ask questions. Saving a few thousand bucks today could equate to being up for millions in damages later…. and trust me, it does and will happen.