Home page logo

basics logo Security Basics mailing list archives

How does a customer get PCI audited?
From: "Scott Race" <srace () jdaarch com>
Date: Mon, 2 Jun 2008 15:37:05 -0700

I have a client (same one from a previous post) who has some pretty
serious security issues on their network (unsecured .mdb file with
credit card into, etc).  I will be fixing the major security holes in
their network, but they still have PCI compliance issues, and I'm
assuming they need to have a quarterly scan done.

They've had this setup for about a year, they knows nothing about PCI
and compliance (myself included, I am not a QSA and still learning about
the compliance procedure).  

What are the chances of them getting audited?  How does all that work?
Could they potentially fly under the radar for years?  I thought there
was something they had to report quarterly to show they're working on
compliance, or something.

I want to be able to tell they company "Listen, here's what could happen
if you get audited, and here's the chances of you getting audited" in
hopes they would take it seriously.  I don't want to scare them without
knowing the facts, first I want to know the facts, then I will scare
them.  Thanks.
Scott Race
Technology Manager
1264 Hawks Flight Court, Suite 200
El Dorado Hills, CA 95762
P:  916.941.3700  |  F:  916.941.3777

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]