More on PCI - the audit guide

Some excellent commentary from Mark Curphey on the subject of the PCI DSS over on his blog at

The other element of the PCI DSS that is of concern is the Audit Procedures and Reporting document designed to be used as the principle guidance for PCI certified auditors. Picking up on Mark’s point about item 1.1.9 and the requirement for configuration standards for routers, the audit guide is just as ambigious in only instructing auditors to “Verify that firewall configuration standards include both firewalls and routers.” That’s it!

Another audit clause that really gripes me is this one:

6.5.b For any web-based application, inquire (sk – shouldn’t that be enquire?) of a sample of (insert sample size) web developers and obtain evidence that they are knowledgeable in secure coding techniques

How does this clause mitigate risk? It provides no constructive guidance whatever except a vague expectation that some-one is going to know the right set of questions to ask.

It’s almost as vague as the audit guide around clause 6.5.10 which expects the auditor to check there is no “insecure configuration management.” What does that mean? You can have poorly managed configuration management or incorrect configurations resulting from errors and lack of knowledge but I don’t know if that is the same thing as insecure configuration management. Perhaps they are referring to insecurities of the person performing the management. I imagine they are on the lookout for some network admin asking himself “am I any good at this whole configuration lark?”…..

What is boils down to is that the audit guide is just as ambigious as the standard itself.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I could not agree more. Just another case of 'security theatre' in a world that is already full of it. I agree that some kind of standards are necessary, but the whole PCI circus smacks of overt commercialism, rather than really offering a realistic way of managing the risk. I fear that this is another example of the 'security industry' creating a bad name for itself. Ho hum.
Seriously dude, are you looking for any little thing to pick at? Having previously worked alongside Visa for a number of years on payment card security, I can attest that the PCI DSS is the best thing that happened to the industry. People don't realize that prior to the PCI standard and its predecessor the CISP, many (majority?) large payment processing organizations and merchants had little regard for cardholder data security. Shocking, but I know firsthand. The PCI standard is not perfect, but then again, what is? The intent is to increase the general level of security over cardholder data. Granted, a few audit procedures could be clarified. For what it's worth, hundreds of organizations have undergone significant steps to comply with the spirit of the standard. And that's the point; organizations and their Qualified Security Assessors (QSAs) use the PCI DSS as an audit guideline for determining compliance. Ultimately, the QSA interprets the standard to determine compliance as no two organizations will implement the 250+ controls in the same manner. Not to be too cheeky but enquire and inquire are used interchangeably, with the later favored, in country where the standard was written.
Laid, or they find a better Solution than I ever have. The spacious yard is the only place to Breathe >casino online password [url=]casino online password[/url] that could take the most unattractive woman and.... So many Women I could hardly