Re: Visa/PCI, care to spin-doctor this crap?

["Susan Kohl" <susan.kohl () thoughtkeyinc com>]

It is important to note the two components of PCI:  Compliance and Validation.

 

The Qualified Security Assessor (QSA) and Scan Vendors (ASV) (collectively referred to as “security assessors” for 
purposes of this discussion) are required to Validate the compliance of an environment to the PCI DSS as of a point in 
time based on historical evidence and the current set up.  It is up to the business (hiring the security assessor) to 
maintain a compliant environment 24/7.  The Security Assessor cannot control what happens when they are not engaged in 
the audit/review.  Their annual audit looks for historical evidence that the PCI steps were in fact in place and are 
effective.  They even go as far to review the set up to ensure those controls are set to continue.  Whether are not the 
business (merchant, processor, etc.) changes those configurations/settings falls on the responsibility of the business, 
not the security assessors.  

 

With that being said, if the security assessor did not follow the required audit/review steps (i.e., negligence) then 
the validation efforts may be in fact INVALID and liability may fall on the security assessor (as well as the business 
depending on what else transpired).

 

TK-logo-RGB

     Susan Kohl

     President

     678.522.2466

     Susan.Kohl () ThoughtKeyInc com

     www.ThoughtKeyInc.com

    "Think PCI, Think ThoughtKey...we lead the way"

 

From: dataloss-bounces () datalossdb org [mailto:dataloss-bounces () datalossdb org] On Behalf Of James Ritchie, CISA, 
CISSP
Sent: Friday, February 27, 2009 11:17 AM
To: B.K. DeLong
Cc: Michael Hill, CITRMS; dataloss () datalossdb org; gboyet () pcisecuritystandards org; security curmudgeon
Subject: Re: [Dataloss] Visa/PCI, care to spin-doctor this crap?

 

No  and they probably will never be able too. Any audit is nothing more than a snapshot in time.  A merchant could 
apply patches right after the certification, change business process, etc that could have an adverse effect on the 
system.  The auditor must maintain all the work papers that they created to support their conclusion.   That is why the 
standard has a section in it for ongoing monitoring of the controls that are effective in the company.  If that means 
an internal audit function, or frequent checks and reporting from within the company, must be created to ensure ongoing 
compliance.

B.K. DeLong wrote: 

That's been a long time question of mine. Have any merchants been
successful in transfering risk and accountability for PCI Compliance
back to the auditor via their contract?
 
But likewise, that audit is good for only that finite point in time,
correct? As soon as changes start being made, it becomes non
compliant. Especially if you have policy not strictly followed or
rigorously enforced.
 
On 2/26/09, Michael Hill, CITRMS  <mailto:mhill () idtexperts com> <mhill () idtexperts com> wrote:
  

Does Trustwave have any responsibility and/or liability?
 
 
 
Michael Hill, CITRMS
www.idtheft101.net
www.identitytheftCompliance.net
404-216-3751
 
 
    
 
    

 
  





-- 
James Ritchie
CISA, CISSP, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss