Small Business Networking
PCI audits from the inside
Reports from the auditor and the audited.
After discussing the new, more stringent PCI (Payment Card Industry) guidelines several times, including last month, let's dig even deeper. Two companies involved in both ends of the PCI process graciously talked to me about what one did to pass, and how the other evaluated its progress to get a passing grade on its assessment.
Related links
Story tools
Sponsored by:
E-Mail article
|
|
Print article
|
|
Contact author
|
|
AIM article
|
del.icio.us |
Reddit
|
Digg
|
Stumble
|
Slashdot It!
|
“Technically, companies don't undergo PCI audits, but PCI assessments,” said Rick Dakin, President and CEO of Coalfire Systems, a security group focusing on compliance assessment and management solutions. Audits have more stringent legal liabilities attached.
But don't get the idea a PCI “assessment” is a snap to pass, because it's not. Jeremy Segale is VP Operations for PaySimple, a service company specializing in auto-recurring billing, eChecks, online payments, and credit card processing. The company does so many transactions at such volume it is a Tier 1 Merchant and requires an on-site assessment. “We started on January eighth,” said Segale, “and the process was finalized March first.”
Segale made a 12 page worksheet, one for every major security area check demanded by PCI, and did an internal pre-audit. Those 12 pages contained 136 major points to check. Some security details were satisfied by the data center hosting their servers, such as physical server access restrictions to maintain data security.
PaySimple did a “gap analysis” before Coalfire arrived, said Segale, “just on a pass/fail basis for internal use only.” Things he hadn't considered, like “screen shots showing domain management of user access,” caught them by surprise on the first trip through the checklist.
Rick Dakin of Coalfire said his company started as an early ASP (Application Service Provider, the forerunner of Software as a Service) back before the Internet bubble burst. After it did, he focused on the security parts of the business and moved into compliance, which now takes 100% of the company's attention.
“The compliance business still needs a trained eye,” said Dakin, “and you can make it as a boutique firm in compliance management.” Coalfire has 40 auditors, plus support staff, in offices in New York, Seattle, and Boulder, Colo. “The Big Four accounting firms aren't in compliance because the PCI standards are not at AICPA (American Institute of Certified Public Accountants) levels.”
| Use this form to start a public discussion with other Linux World users on this article. Log In | Register for an account (Why you should) |
Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."
*Anonymous comments will only appear once they are approved by the moderator.
• SCO CEO takes the witness stand
• Linux visionary convicted of murder
• Ubuntu releases Hardy Heron
• Computer experts protest Microsoft OOXML
• US software lock-ins harm local bidders
LugRadio Live USA San Francisco, April 12-13 2008.
Nerdapalooza Orlando, Florida, July 4-5 2008.
LinuxWorld Conference and Expo San Francisco, August 4-7, 2008.
Featured Whitepapers
| The Fanatical Support Promise: Our Commitment to You - Rackspace | Webcast: Enterprise Linux Support - Oracle |