PCI DSS and Regulatory Compliance Blog

Meet Your PCI Auditor

January 4th, 2007 Posted in QSA

auditor1.jpgMark Linton writes in to say that:

There was a great article on “Meet Your PCI Auditor” published in this month’s Information Security Magazine - infosecuritymag.com

After looking it up, we think the real title is “Judgement Day” but I prefer Mark’s title. (You have to “log in” so just use the email address: test@test.com)

It is an ok piece for the limited space one has to write about PCI. I cringe at the thought of writing a short 2,000 word piece on any topic and it having the intention of being comprehensive. I would rather see a 2,000 word piece on one specific aspect of PCI that provides useful information.

For example, the title “Judgement Day” leaves the rest of the article to hype the fear of PCI. I would rather have an article titled “Meet Your PCI Auditor” and have useful tips on how to choose a PCI auditor. Maybe questions to ask to make sure they understand the industry or to help people navigate the waters of picking one. That would have been an article worth reading.

If by now you do not know what PCI is then I recommend going to a class and educating yourself from the experts.

Update: This blog post has been updated here.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 7 Responses to “Meet Your PCI Auditor”

  2. By Stuart King on Jan 5, 2007

    Excellent and informative blog - thanks. I support PCI efforts within my own organisation and see the audit as more than just a test of PCI compliance but also a test of overall security status.

  3. By datasecurity on Jan 5, 2007

    Thank you for the kind words and the link from your blog.

    If you have any PCI related questions please post them here (anywhere) and we will get them answered.

    Cheers!

  4. By ML on Jan 9, 2007

    In the place of sarcasic poking, Martin McKeay should comment on how reassured he is that his auditor understands and can reflect on PCI FUD.

  5. By Ronald on Mar 20, 2008

    One of the hardest things I find is being held hostage to the QSA companies. We have auditors that are autonomous in our government offices who will be doing the annual reviews since we a level 1, but the PCI council created no method to train and certify auditors in these situations. QSA companies many times are more concerned with then pushing their software and other cost services.

  1. 3 Trackback(s)

  2. Jan 9, 2007: Meet Your PCI Auditor - part 2 « PCI and Data Security Compliance
  3. Mar 20, 2007: Preparing for PCI at PCI Compliance Demystified
  4. Apr 12, 2007: What is the difference between QSAs? at PCI Compliance Demystified

Post a Comment