Posts Tagged ‘PCI compliance

05
Sep
15

They Are Just Words

QSAs get asked a lot of “what ifs”.

  • If I do ‘A’, will that result in ‘B’?
  • What if I do ‘C’, will that accomplish ‘D’?
  • If I do ‘E’, will that cause ‘F’?

Where this really hits hard is when an organization is trying to reduce scope in their cardholder data environment (CDE). Another area where this becomes problematic is when organizations are re-architecting their networks and want to take into account PCI or any other regulatory or security requirements. Nine times out of ten, the client wants a QSA to review the new network architecture and “bless it” as PCI compliant. We can discuss scope reduction strategies all day long but, until they are implemented and physically exist, they are all just a theory. And as I like to famously say, “In theory, theory works.”

I know this frustrates organizations, but the essence of PCI compliance is validation. A QSA can review proposed network architectures and state that they “appear” that they will be PCI compliant, but the proof is in the implementation. It is only when the organization can provide all of the configurations and penetration testing results for review that a QSA can then determine the PCI compliance of a network and the related devices.

So the next time you are asking your QSA a hypothetical question, do not get all wound up when the QSA responds with what appears to be a lame, “weasel worded” sounding answer. Until you provide concrete evidence, it is all just words, pretty pictures and a thought exercise.

Advertisement



Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728