Thursday, February 25, 2010

Some Slack on PCI-Compliance Audits?

The November 2009 PCI Council guidance provides some idea of how a merchant can be PCI-compliant even if they have missed a quarterly external vulnerability scan, reports StorefrontBacktalk. Specifically, if your QSA believes you met the intent of Requirement 11.2 and your risk has been sufficiently addressed through your overall efforts and practices, the QSA can assess you as compliant even though you did not meet 11.2 exactly as stated (i.e., the four quarterly passing scans)

Those “practices” would be having all your other controls in place as part of your overall vulnerability management, such as timely patching of all systems, conducting internal and external penetration tests whenever there is an application upgrade or infrastructure change, and having your quarterly internal vulnerability scans in place. For good measure, StorefrontBacktalk suggests also implementing an internal procedure so you don’t get in this fix again next year. With this approach, you might just be able to work with your QSA to make the case that you met the spirit and intent of 11.2.

Bear in mind that your acquirer needs to be comfortable with any compensating control because they have to accept your Report on Compliance (ROC) or your Self-Assessment Questionnaire (SAQ) if you self-assess.

No comments:

Web Analytics