Security Basics mailing list archives

Re: How does a customer get PCI audited?

From: Adriel Desautels <adriel () netragard com>
Date: Tue, 03 Jun 2008 11:49:29 -0400

Scott,

I don't have much time right now but I do want to take a quick momentto give you some advice. When your customer is trying to become PCIcompliant, make sure that they are tested by a QUALIFIED securitycompany. That means that the deliverable produced by the company MUST bethe product of human talent and expertise and NOT the product of anyautomated scanners or tools. It is very easy to be PCI compliant whenyou are checked by an automated scanner, but in such cases beingcompliant means nothing because you're probably still hackable.

If you want to be truly PCI Compliant, get tested by someone who canreally run you through the ringer.


Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Scott Race wrote:

I have a client (same one from a previous post) who has some pretty
serious security issues on their network (unsecured .mdb file with
credit card into, etc).  I will be fixing the major security holes in
their network, but they still have PCI compliance issues, and I'm
assuming they need to have a quarterly scan done.

They've had this setup for about a year, they knows nothing about PCI
and compliance (myself included, I am not a QSA and still learning about

the compliance procedure).

What are the chances of them getting audited?  How does all that work?
Could they potentially fly under the radar for years?  I thought there
was something they had to report quarterly to show they're working on
compliance, or something.

I want to be able to tell they company "Listen, here's what could happen
if you get audited, and here's the chances of you getting audited" in
hopes they would take it seriously.  I don't want to scare them without
knowing the facts, first I want to know the facts, then I will scare
them.  Thanks.
Scott Race
Technology Manager

JD+A NETWORK SERVICES

1264 Hawks Flight Court, Suite 200

El Dorado Hills, CA 95762

P:  916.941.3700  |  F:  916.941.3777

Current thread:

How does a customer get PCI audited? Scott Race (Jun 03)
- Re: How does a customer get PCI audited? Adriel Desautels (Jun 03)
- RE: How does a customer get PCI audited? Craig Wright (Jun 03)
  - Re: How does a customer get PCI audited? Adriel Desautels (Jun 03)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 04)
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 04)
    - RE: How does a customer get PCI audited? Erin Carroll (Jun 04)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 05)
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 05)
    - Pen tested ... Compliant??? Craig Wright (Jun 05)
    - The economics of testing Craig Wright (Jun 05)
    - Message not available
    - RE: The economics of testing Craig Wright (Jun 06)

(Thread continues...)