avoiding eye contact, by Foxtongue

How to Avoid a Made Up Requirement

The only way to avoid a made up requirement is to ensure that there is material in the PCI DSS that supports a recommendation before a it’s made. There are two main areas where you can find information on how to handle strange situations—PCI DSS itself as well as the FAQ that can be found on the PCI Security Standards Council’s website. The “Navigating PCI DSS” series is also useful, but supplementary and cannot be assessed against. Any guidance taken from documents other than the PCI DSS should be written up as a compensating control where appropriate.

Additional documentation such as Special Interest Group (SIG) whitepapers, do not indicate changes in the standard and must only be used for educational purposes. For example, a whitepaper from the Virtualization SIG condemning “Mixed-Mode” in large virtual infrastructures may be an indication of what a subset of stakeholders believe, but QSAs cannot act on the information contained within the paper until it ends up in the PCI DSS or as part of some other formal communication from the Council directing QSAs on how to assess these environments.

This post originally appeared on BrandenWilliams.com.