Question about PCI audit results and reality....

[vlape at me.com (Vincent Lape)]

in this economy good luck. its hard to justify spending money if the  
helmets are "good enough to pass". i have found in the past that if a  
brick fell down and hit a squirrel in the head, and the squirrel died,  
something was done at a quick pace. OR if the squirrel helmets  
experienced a catastrophic failure they would need to be replaced.



On Aug 12, 2009, at 10:23 AM, Jason Wood wrote:

> So I have a "hypothetical" situation that I'd like some ideas on.
>
> Say you go through a PCI audit and certain things that you know are  
> a problem are not marked as such by the auditor.  (we can get into  
> getting a new QSA later)  To make up a completely fake scenario,  
> lets say that item 15.3 requires all squirrels to wear helmets when  
> running the credit card numbers from the web server to the database  
> server.  (squirrelNet anyone?)  The QSA says that there are no  
> problems and that the squirrels are wearing helmets properly.  The  
> issue is that the helmets are made of newspaper and don't look like  
> a helmet from anything beyond a passing glance.
>
> As the admin/squirrel handler, I want to justify getting proper  
> helmets on the squirrels.  However, here's this audit report which  
> states that there's no problem here.  How do you go about justifying  
> "real" squirrel helmets when the QSA says everything is good.   
> Chances are good management is going to look at the report and tell  
> you to leave the newspaper hats in place because it is good enough  
> for the QSA.
>
> Short of calling up the QSA and asking him WTF (and getting in hot  
> water for doing so), how do you deal with this?
>
> Here's some of the ideas that have occurred to me:
> Explain to management what squirrel helmets really are supposed to  
> be and that not every QSA is going to be so... casual about them.
> Explain that PCI is a minimum set of requirements and doesn't insure  
> actual security.
> Club a squirrel on the head and demonstrate that newspaper isn't an  
> adequate helmet.
> How do you deal with justifying security improvements when an audit  
> report says that everything is blue skies and happy days?
>
> Thanks,
> Jason
>
> P.S.  SquirrelNet was inspired by @beaker and no actual squirrels  
> were used to run credit card numbers or were clubbed on the head  
> while writing this email.
>
> -- 
>
> irc: Tadaka
> Twitter:  Jason_Wood
> jwnetworkconsulting.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090812/e22b4d6d/attachment.htm