Who’s to Blame When PCI Security Fails?
source: http://information-security-resources.com/2009/07/14/whos-to-blame-when-pci-security-fails/
-
-
- Paisano1
- added this
Auditors definitely need to be more exacting and tougher when evaluating a company’s adherence to the specification. But an audit is a point-in-time event that says “as of today” your security level and change and control processes are at an acceptable state.
If Savvis did a poor job of auditing CardSystems and issued a PCI certificate when that company was not really compliant, Savvis is at fault for issuing the certificate.
But what about the many companies who are compliant with PCI DSS with a point-in-time audit only to be breached a month later?
If Savvis did a poor job of auditing CardSystems and issued a PCI certificate when that company was not really compliant, Savvis is at fault for issuing the certificate.
But what about the many companies who are compliant with PCI DSS with a point-in-time audit only to be breached a month later?
