On Tue, 2012-01-31 at 22:45 +0000, Thomas Mangin wrote: > Furthermore auditors make more money by failing you than trying to > understand what you have really done to secure the devices in scope. > Finding a good auditor is the most important step in any PCI/DSS > undertaking.
>From my own experiences, a failed audit is utterly necessary to make management take notice that it's not good enough to breeze through the standard saying 'yeh, yeh we do that yeh no problem.' If there's neither policy nor evidence then it doesn't happen as far as PCI-DSS is concerned, and you fail. I do agree that it's a large imposition for small firms of only a few techies and sales guys where it's almost impossible to separate the roles in the lifecycle of design/test/approve/implement. Cheers, Gavin.
