A Guide to Practical PCI Compliance
With all the doom and gloom about how difficult and costly PCI is supposed to be, the reality is that PCI compliance is attainable and sustainable, if you follow these tips.
Finally, the cruel reality of compliance has shown that there are instances where management, upon notice of the impending audit failure, will respond by firing various people in the security group. In many cases, they may ask the remaining staff to lie to pass the audit. For the individual, this presents the dilemma of truth versus having a job.
If one finds themselves in such a situation, immediately seek legal counsel. According to Louis Brilleman, counsel at Sichenzia Ross Friedman Ference in New York City, a law firm specializing in securities and regulatory matters, "If management asks you or pressures you to sign off on something that is false, they may expose themselves to a charge of intimidation—a criminal offense in most jurisdictions—when coupled with a threat of termination. In such a case, you should seek legal counsel since complying with management's request will make the person an accomplice that could potentially result in fines and jail sentences."
Just the Basics
Nearly everything in PCI can be considered security 101. It is therefore surprising how people are intimidated by the various PCI requirements. But PCI, like information security, is simply attention to detail and good design, combined with good project management. If you follow those disciplines for your PCI remediation effort, your chances of passing the PCI compliance effort are greatly increased.
Ben Rothke, CISSP, QSA, is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006).
David Mundhenk, CISSP, QSA, is a security consultant with a major professional services firm.
compliance
Receive the latest security news as it breaks.
