"management" if only they didn't exist and we could get rid of all the customers!
I've deployed PCI accreditation (and many other more painful frameworks) on several occasions, no failure was needed. this isn't about the piece of paper, it's about ensuring that you manage risk effectively. Sent from my iPad On 31 Jan 2012, at 23:05, "Gavin Hamill" <[email protected]> wrote: > On Tue, 2012-01-31 at 22:45 +0000, Thomas Mangin wrote: > >> Furthermore auditors make more money by failing you than trying to >> understand what you have really done to secure the devices in scope. >> Finding a good auditor is the most important step in any PCI/DSS >> undertaking. > > From my own experiences, a failed audit is utterly necessary to make > management take notice that it's not good enough to breeze through the > standard saying 'yeh, yeh we do that yeh no problem.' > > If there's neither policy nor evidence then it doesn't happen as far as > PCI-DSS is concerned, and you fail. > > I do agree that it's a large imposition for small firms of only a few > techies and sales guys where it's almost impossible to separate the > roles in the lifecycle of design/test/approve/implement. > > Cheers, > Gavin. > > > > >
