R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from vnunet.com

Free email newsletters




ADVERTISEMENT

Experts call for regulation of PCI assessors

NetEvents panel warns of ambiguity in PCI compliance

Matt Chapman at NetEvents, Malta, vnunet.com 28 Sep 2007
ADVERTISEMENT

Payment card industry (PCI) assessors must be regulated if the system is to work, according to a panel of industry experts.

Bob Walder, chief scientist at NSS Labs, claimed that the PCI Data Security Standard (PDF) which sets out PCI compliance, could be ambiguous in certain areas, and that compliance assessors need to be well trained.

"These are the guys who charge quite a lot of money to look at a company's infrastructure and determine whether or not it is compliant with the DSS," he said during a panel discussion at NetEvents in Malta.

Walder warned that the wide range of choices meant that it could be "lucky" when a company uses an assessor who has a deep knowledge of network security and how it applies to PCI.

"If you are unlucky, the assessor is going to be doing little more than going through a checklist and saying 'OK you don't have a firewall, but I don't really have any further advice for you there' or 'You have this particular firewall but I'm not familiar with it, so I still can't tell you whether you're compliant or not,'" he said.

Alex Raistrick, director for Northern Europe at ConSentry Networks, believes that one way round the problem is to vet assessors to ensure that they are up to the job.

"If there is going to be a standard for PCI products, there needs to be a standard for assessors to show that the assessor is known to be successful and will get you compliant," he said.

Neil Hartsell, vice president of product marketing at Tipping Point, highlighted one of the problems that assessors face.

DSS tells companies what information they need to encrypt and that they need firewalls and antivirus, but it stops short of naming compliant products.

"It cannot go so far as to say 'This is the model of the product from vendor A that meets all those criteria' so there has to be some agency which makes that clear," Hartsell said.

"If you do not solve this problem, the assessor will never be anything more than a consultant."

See also:

Barracuda sinks teeth into NetContinuum
More consolidation in the security sphere  19 Sep 2007
PCI SSC takes on Pin Entry Device security
Council takes over from credit card companies  13 Sep 2007
UK business not meeting data protection deadlines
Board only paying lip service to IT staff  09 Aug 2007
Card industry deals out security standards
PCI SSC begins discussions  11 May 2007
Qualys and RSA tout card payment security
Firms hook up on Payment Card Industry Data Security Standard  24 Apr 2007
Credit cards
Credit card heist hits 45 million users
UK customers of TK Maxx told to check credit and debit card statements  30 Mar 2007

All Enterprise Security Technology

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

Permalink for this story
R E A D E R   C O M M E N T S
Post your comment Post your comment   What is this?

M A R K E T P L A C E
Sponsored links
F E A T U R E D   J O B S
EXCEPTIONAL .NET (ASP / VB / C#) DEVELOPER – SURREY HEDGE FUND
| Aston Carter
EXCEPTIONAL .NET (ASP / VB / C#) DEVELOPER – SURREY HEDGE FUND My client is a CASH RICH leading Microsoft Technology focused Hedge Fund currently experiencing unrivalled success – they need to bring on fresh ... more >
Software Developer - Modelling and Simulations - Defence
| JAM Recruitment
Position: Software Developer – Modelling / Simulations Salary: £27-37,000 Location: Luton, Bedford, Milton Keynes Apply to: a.ross@jamrecruitment.co.uk This is an excellent chance to join one of the UK’s leading Defence businesses operating at the forefront ... more >
Software Engineer – C/C++/GUI/UML - East Mids - £30-40k
| JAM Recruitment
Position: Software Engineer – C/C++/GUI/UML Salary: £30-40,000 Location: Leicester Apply to: a.ross@jamjobs.co.uk This is a fabulous opportunity to join a globally recognised organisation working as part of a team taking innovative and cutting edge solutions ... more >
Embedded Software / Systems Engineer - Defence - Cumbria
| JAM Recruitment
Position: Embedded Software / Systems Engineer Salary: £25-40,000 Location: Barrow, Cumbria, Carlisle, Lake District Apply to: a.ross@jamrecruitment.co.uk (inc salary expectations, availability and notice period) This is an exciting opportunity to join one of the UKs ... more >
More job opportunities

Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Advertise
Consumer Technology websites:
Active Home Product reviews, competitions, news
Computeractive Software reviews, hardware reviews, buyers' guides, workshops, downloads
Gizmodo the daily gadget blog: technology news and reviews
PC Magazine your personal guide to technology
PCW software product reviews, hardware product reviews, buyers' guides, competitions
WebAct!ve what's happening on the web
What PC? helping you purchase the right computer, digital camera, peripherals, gadgets and more
Blogs:
Test Bed The PCW Labs blog, PCW Inter@ctive A reader blog from PCW. Your views, your comments, your say, Windows Watch Keeping an eye on the latest XP % Vista news
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory, Top IT Employers 2005
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . vnunet.com
Business & Finance websites: Accountancy Age . Best Practice . Financial Director . Management Consultancy
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503