The major credit card companies have been strong-arming companies, that process credit cards, into compliance for over 3 years now, but is it working? The obvious answer may seem to be yes. Droves of companies report annual compliance and have auditors verify that with on-site audits. This has effectively made these companies safer then, right?
Well not necessarily. While the PCI-DSS Board, the organization that provides the PCI standards, will attest to the fact that their requirements do improve a companys overall IT safety; they too rely on the certified PCI auditors to report a companys compliance with these standards. Therein lies the problem.
A companys compliance is dependant on what the PCI auditor, certified by PCI-DSS mind you, reports back to the PCI-DSS Board. In many cases they, like many auditors, perform an audit based off of questionnaires and individual interviews with IT personnel.
A compliance officer, at a major fast food restaurant chain, said that they use canned audit responses each year, and at their PCI level, that those answers are almost never questioned. This type of attitude seems to be the trend.
I just tell them [PCI auditors] whatever they want to hear. said Maryann Douglass, in charge of PCI compliance for Macys, Inc. Im sure everyone else fibs to auditors too. Around here, I jokingly call that the real Magic of Macys. Douglass continued.
With some companies not taking the credit regulations as serious as the PCI-DSS board would like, is this a place where the Federal Government should step in? Many say no, but even if that happened would that help. Its still too early to tell.
With attacks on companies still on the rise, the question may not be whether or not the PCI-DSS standards are working, but rather is it happening at all.
