Re: Visa/PCI, care to spin-doctor this crap?

["James Ritchie, CISA, CISSP" <james_ritchie () sbcglobal net>]

No  and they probably will never be able too. Any audit is nothing more
than a snapshot in time.  A merchant could apply patches right after the
certification, change business process, etc that could have an adverse
effect on the system.  The auditor must maintain all the work papers
that they created to support their conclusion.   That is why the
standard has a section in it for ongoing monitoring of the controls that
are effective in the company.  If that means an internal audit function,
or frequent checks and reporting from within the company, must be
created to ensure ongoing compliance.

B.K. DeLong wrote:
> That's been a long time question of mine. Have any merchants been
> successful in transfering risk and accountability for PCI Compliance
> back to the auditor via their contract?
>
> But likewise, that audit is good for only that finite point in time,
> correct? As soon as changes start being made, it becomes non
> compliant. Especially if you have policy not strictly followed or
> rigorously enforced.
>
> On 2/26/09, Michael Hill, CITRMS <mhill () idtexperts com> wrote:
>   
> > Does Trustwave have any responsibility and/or liability?
> >
> >
> >
> > Michael Hill, CITRMS
> > www.idtheft101.net
> > www.identitytheftCompliance.net
> > 404-216-3751
> >
> >
> >     
> >     
>
>   

-- 
James Ritchie
CISA, CISSP, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss