"What would my QSA say?" - Why this is the wrong question to ask yourself #pcidss

Many aim to please their QSA and get "approval" (the use of that word is a topic for another post) of things like compensating controls.  When something comes up that requires some real thought as to whether it meets the expectations of PCI DSS, they ask themselves this question:

"What would my QSA say?".

The question you should be seeking the answer to is quite a bit longer: [warning run-on sentence]

"What would a team of QSA's that know nothing about my business or my environment who have just been sent in by the card brands and are working elbow to elbow with a forensics team because we have just had a breach say about this?"

Posted via email from ken5m1th

No comments:

Post a Comment