Skip to main content

more-on-pci-security-random-pen-testing

(0 comments)

In thinking a bit more about PCI security since my post on PCI visibility. I think what Visa and Mastercard need to do is to hire independent 3rd party penetration testers to pen test merchants and processors.

The PCI Three are making a big switch in September, when they will start fining acquiring banks non-compliant merchants. However, there are two problems with the auditing procedures: Auditors are paid by the companies they are auditing and audits are static snapshots. I'm not insinuating anything here about the ethics of PCI auditors, just pointing out the agency conflict and that a company might get compliant for an audit, then lapse out of compliance.

Further, as I have mentioned before, I think that the PCI program may be too little too late to fend off regulatory action. I think that having auditors that are paid by Visa/Mastercard/Amex to pen test merchants and processors would keep merchants and processors on their toes. Obviously, the merchants and processors would have to give permission for random pen tests, but I think that issue can be forced. Doing this would eliminate the two problems noted above. The pen testers would not be paid by the target companies and the target companies would have no idea when they would be audited.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom