I was sitting in a meeting earlier this year and someone me asked a “quick” question about PCI DSS. Always happy to oblige, I listened to the person go through a very intricate discussion and setup for this question (as in, on the order of just over five minutes) to finally get to the punchline, “so is this out of scope?”
I’ve been in those discussions before, and at times the systems were so complex that they warranted a five-plus minute review in order to set them up. In this case the majority of the discussion was around specific semantics and nuances in interpretation that could cause a particularly problematic system to be shifted off of this compliance managers desk. Compliance in a world of corporate P&Ls is a higher stakes game than many insiders are willing to admit. Regardless, I made an observation about this interaction (one I have made before) that I since validated over the last few weeks:
If you are arguing semantics and nuances in interpretation that lie more on sentence structure than actual techincal requirements, RED ALERT. You might be wasting energy trying to get out of doing something as opposed to focusing that energy on a solution.
It’s the old trick of wearing an auditor or assessor down until they finally throw up their hands and say “FINE. Whatever you want,” just so they can get on with their lives. But what happens during an incident investigation when that same system was left unaddressed and is now the focus of the root cause? Blame the auditor/assessor? You can certainly try, but history says that’s not going to get you very far.
When you find yourself in a situation like this, I would suggest a good course of action is to outsource that particular function/system. Meaning, if you have this one trouble system that has been lagging behind IT updates and maintenance, figure out what it would cost to get someone to either take it over in place, or just replicate the functionality in a managed environment (with the third party accepting full liability for their actions).
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?