BreachExchange mailing list archives
Re: Visa/PCI, care to spin-doctor this crap?
From: "Susan Kohl" <susan.kohl () thoughtkeyinc com>
Date: Fri, 27 Feb 2009 12:06:21 -0500
It is important to note the two components of PCI: Compliance and Validation. The Qualified Security Assessor (QSA) and Scan Vendors (ASV) (collectively referred to as “security assessors” for purposes of this discussion) are required to Validate the compliance of an environment to the PCI DSS as of a point in time based on historical evidence and the current set up. It is up to the business (hiring the security assessor) to maintain a compliant environment 24/7. The Security Assessor cannot control what happens when they are not engaged in the audit/review. Their annual audit looks for historical evidence that the PCI steps were in fact in place and are effective. They even go as far to review the set up to ensure those controls are set to continue. Whether are not the business (merchant, processor, etc.) changes those configurations/settings falls on the responsibility of the business, not the security assessors. With that being said, if the security assessor did not follow the required audit/review steps (i.e., negligence) then the validation efforts may be in fact INVALID and liability may fall on the security assessor (as well as the business depending on what else transpired). TK-logo-RGB Susan Kohl President 678.522.2466 Susan.Kohl () ThoughtKeyInc com www.ThoughtKeyInc.com "Think PCI, Think ThoughtKey...we lead the way" From: dataloss-bounces () datalossdb org [mailto:dataloss-bounces () datalossdb org] On Behalf Of James Ritchie, CISA, CISSP Sent: Friday, February 27, 2009 11:17 AM To: B.K. DeLong Cc: Michael Hill, CITRMS; dataloss () datalossdb org; gboyet () pcisecuritystandards org; security curmudgeon Subject: Re: [Dataloss] Visa/PCI, care to spin-doctor this crap? No and they probably will never be able too. Any audit is nothing more than a snapshot in time. A merchant could apply patches right after the certification, change business process, etc that could have an adverse effect on the system. The auditor must maintain all the work papers that they created to support their conclusion. That is why the standard has a section in it for ongoing monitoring of the controls that are effective in the company. If that means an internal audit function, or frequent checks and reporting from within the company, must be created to ensure ongoing compliance. B.K. DeLong wrote: That's been a long time question of mine. Have any merchants been successful in transfering risk and accountability for PCI Compliance back to the auditor via their contract? But likewise, that audit is good for only that finite point in time, correct? As soon as changes start being made, it becomes non compliant. Especially if you have policy not strictly followed or rigorously enforced. On 2/26/09, Michael Hill, CITRMS <mailto:mhill () idtexperts com> <mhill () idtexperts com> wrote: Does Trustwave have any responsibility and/or liability? Michael Hill, CITRMS www.idtheft101.net www.identitytheftCompliance.net 404-216-3751 -- James Ritchie CISA, CISSP, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? macwheel99 (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Clint P. Garrison (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Kenton Hoover (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Adam Shostack (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? James Ritchie, CISA, CISSP (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Susan Kohl (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? halsey (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Smith, Paul (Sr. Admin-InfoSec) (Feb 27)