In Depth
A Tale of Two PCI Security Audits
Robert Duran of Time Inc. and Allan Kintigh of National Card Services share their PCI auditing experiences. Why one's experience was unpleasant and the other fared better.
By Bill Brenner, Senior Editor
Duran's department has to deal with two auditors - one in the U.S. and one in Europe. They often give different answers to the same questions because they are looking at it from different perspectives. He has also come across people who lack the proper understanding of such technical matters as firewall and VLAN configuration.
"Not all [auditors] are the same and not all of their responses will fit your situations," he said. "And so we have to manage them against each other and get what we need from them. They don't always understand the specific security needs of the business."
For example, he said, a department can catch flak for not having a firewall installed on certain systems, even though the more appropriate course for the business unit may be to segment parts of the network from other areas.
Merchants who take the time to truly understand the mechanics of PCI are therefore in a position to debate the auditor's findings and avoid wasteful technological investments that are sometimes made for the sake of a passing grade.
Communication = a better experience
Kintigh has had more positive dealings with the auditors. One thing in his favor is that his company's footprint is tiny compared to Time Inc. Overhead is low and the company has no more than 20 employees. The systems an auditor must examine are a lot simpler.
"We've had fairly decent interactions with our auditors," Kintigh said. "They've been willing to talk over issues with us before giving us the big red X. We are a small company and their processes are built for rather large companies."
Since there are only a small number of people signing off on different software changes and the like, auditors seem to have an easier time pinpointing strengths and weaknesses in the companies PCI security program. In this case, they recommended a more formalized software update process.
"They wanted to see tighter control over our procedures for software tracking, patch management and change management," he said. "We had a system in place but not under a formalized process. They wanted more documented, formal procedures and they wanted us to be more consistent about it."
At the beginning of the auditing process, they also examined the company's firewall rules and suggested changes. "We had various firewalls on different machines and the auditors suggested they wanted to see more of a commercial box for that," he said.
Each year, he said, the auditing process gets easier because the company gains a better understanding of what auditors tend to look at.
PCI
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
