BreachExchange mailing list archives
Re: Visa/PCI, care to spin-doctor this crap?
From: "James Ritchie, CISA, CISSP" <james_ritchie () sbcglobal net>
Date: Fri, 27 Feb 2009 11:16:49 -0500
No and they probably will never be able too. Any audit is nothing more than a snapshot in time. A merchant could apply patches right after the certification, change business process, etc that could have an adverse effect on the system. The auditor must maintain all the work papers that they created to support their conclusion. That is why the standard has a section in it for ongoing monitoring of the controls that are effective in the company. If that means an internal audit function, or frequent checks and reporting from within the company, must be created to ensure ongoing compliance. B.K. DeLong wrote:
That's been a long time question of mine. Have any merchants been successful in transfering risk and accountability for PCI Compliance back to the auditor via their contract? But likewise, that audit is good for only that finite point in time, correct? As soon as changes start being made, it becomes non compliant. Especially if you have policy not strictly followed or rigorously enforced. On 2/26/09, Michael Hill, CITRMS <mhill () idtexperts com> wrote:Does Trustwave have any responsibility and/or liability? Michael Hill, CITRMS www.idtheft101.net www.identitytheftCompliance.net 404-216-3751
-- James Ritchie CISA, CISSP, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? macwheel99 (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Clint P. Garrison (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Kenton Hoover (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Adam Shostack (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? James Ritchie, CISA, CISSP (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Susan Kohl (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? halsey (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Smith, Paul (Sr. Admin-InfoSec) (Feb 27)