My mouth gets me in trouble (once again)

Posted by in Analysis on Feb 5, 2007

OK, so I posted a while back about the whole QDSP training process, and the folks over at the PCI and Data Security Compliance Blog (rightly) called me on it for being overly negative toward the wrong people. Actually, I was mostly trying to be funny, but this was unquestionably the wrong way to go about doing it. Anyway, I felt it might be good to take a moment and lay out what my frustration actually is (and why it’s not with them) and apologize to those folks for taking it personally (I actually respect their work quite highly)…

Anyway, my beef with the training is probably that I feel, as a QDSP, under-prepared for how Visa expects me to interpret the requirements of the standard. But that is not because the class wasn’t as good as it could be; instead, I think it’s because of the way the standard is implemented and assessors are qualified. Now, why should I be interpreting the requirements of the standard, you ask? Because, unlike the majority of other regulatory guidance, PCI is prescriptive. For example, PCI says that companies need to have a firewall. And they say that you have have to have anti-virus software, application-level firewall software (new version), etc. It’s up to the assessor to interpret if they have done it and if it is done appropriately. To contrast, I just went through the ISO-27001 auditor training, and the auditors are not expected to evaluate the quality of a given implementation; for example, there’s an example in there about damage to documents caused by a leaky roof (there’s a requirement that documents be legible, retained appropriately, locatable, etc.) Anyway, the example asks if it’s acceptable from the point of view of the standard to put those documents in Tupperware containers; now, if you were to judge qualitatively, you would say “that’s crazy – fix the damn roof.” But that’d be the wrong answer… because the standard does not define what you need to do technologically so long as the core issues are met.

So, I guess my frustration is with the fact that we, as assessors, are signing off on something that we are being asked to interpret. It’s subjective and we’re not being given guidance from Visa. But that’s not the fault of the class, and it was inappropriate of me to imply that it is. So, sorry again to those guys.

Search
  • http://datasecurity.wordpress.com/ Datasecurity

    Thanks for the post. I agree that it can be frustrating when dealing with a new standard. The problem is that PCI (or whatever it is) must apply to a wide range of merchants, so while many feel it fits snug and wears well, some will say it’s too tight and others will say it’s too loose.

    The key is understanding how to stretch or shrink the sweater (using a dryer works well.) I recommend reaching out to others when you have questions about the gray areas and getting up to speed on the details. PCI compliance is less of a science and more of an analysis.

    Thanks!

TwitterRssFacebook