Several people commented on my previous PCI postings and have recommend that when implementing PCI DSS, it should be done in the spirit and intent of the spec, and not necessarily in accordance with the exact wording.
The primary point of my posts were that the spec is vague in many areas and should be rewritten or clarified.
The argument of "Use the spirit, not the letter" is only good until I squander thousands of dollars for a failed PCI audit because the Auditor was not interpreting the requirements in the same "spirit" as I was.Things of this nature should be specifically spelled out and carefully worded. Leaving them open to interpretation can and will cause problems. This is especially concerning when State Governments (Texas and Minnesota) start adapting this Spec as State Law. I believe its only a matter of time before some poor shmuck fails an expensive PCI audit and drags this into the court system. And with it now becoming a government mandated requirement, its inevitable that without improvement, interpretation is going to ultimately fall in the hands of judicial courts that lack the proper technical background.
No comments:
Post a Comment