- Get a grip or you don't get the job
- Researcher hides IE attack on Web
- Desktops of the future here today
- Cisco third quarter 2008 channel stuffing
- Sci-Fi's goofiest gadgets and technology
Rss FeedRss Feed
Crackin' the Kraken bot. Listen now!
Wireless dangers at airports. Listen now!
Before now, midsize customers settled for either an expensive and complex array or low cost solution that lacked functionality. Now experience virtual storage with enterprise class functionality at an affordable price.
Get the latest on storage technologies that allow IT professionals to better cope with new IT demands. Learn how storage technologies can help you successfully tackle e-Discover, regulatory compliance, green data center initiatives and the data explosion. Get all the details now.
Discover the benefits of paravirtualization in this informative webcast today. This server virtualization-themed webcast not only explores how to improve virtualized server performance, but provides real-world user examples, explains how to optimize workloads and discusses the future of server virtualization. Focus on only the themes that interest you or watch all six consecutively for a full picture of how you can lower your costs significantly through consolidation and virtualization. Register below to learn more and be entered to win an Archos 605 Portable Media Player.
So, the OpenOffice.org Community has announced the public beta release of OpenOffice.org 3.0, a new version...- Microsoft Subnet
Businesses accepting credit cards have to assure their networks are secured according to the Payment Card Industry Data Security Standard, and to achieve that, they often make security investments based on the advice of the organization setting the standard and its 60 or so qualified security assessors empowered to judge whether a business is PCI compliant or not.
The situation has given the PCI Security Standards Council — which requires its membership be allowed to read or comment on any of its proposed standards — great power to alter the direction of network security. Moreover, QSAs typically make recommendations about which security products and services to buy, and therefore have a new power-broker role.
Businesses are at liberty to hire any QSA they wish to go through what’s becoming an annual PCI audit process, but questions are starting to be raised, even by the council itself, about how achieving PCI compliance works. One thing is clear—if you don’t achieve compliance, you may not be allowed to process credit cards.
Achieving compliance often requires the business being audited to make changes, including purchasing new products, to meet the council’s 12-part security rules, and the QSA is there to tell them what to do. “When a company becomes a QSA, they sign a document with us that they are not allowed to go in and say ‘the only way to fix this is with a product I sell,’” says Bob Russo (see above), general manager of the Wakefield, Mass.-based PCI Security Standards Council, formed two years ago by the credit card associations including Visa and MasterCard. Its fine for QSAs to recommend their own products to achieve PCI compliance, but “You can’t say, ‘you need my product in order to be compliant,’” he says.
The council’s PCI-compliance program includes a feedback form that merchants are supposed to fill out that would let them divulge what transpired with a QSA, but Russo acknowledges these forms aren’t always making it to the council. The council is considering hiring a quality-assurance specialist to keep an eye on the QSAs. “We’re interviewing now for a quality-assurance person for this,” he says. One thing the specialist will be doing is talking to merchants to find out if they were coerced into buying products.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com The Industry Standard IDG List Services |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
IBM clarification regarding PCI storyBy Howard Glavin on November 20, 2007, 2:21 pmDear Editor, I'd like to clarify a point in Ellen Messmer's story, "PCI compliance mandate's power raises conflict-of-interest questions" on November 8, that...
Reply | Read entire comment
IBM Already in Conflict?By swmcdermo on November 12, 2007, 11:37 amIt's clearly stated in the QSA contract with the council that QSAs cannot exclusively push their own software/solutions. If there is an IBM director saying IBM will...
Reply | Read entire comment
Reporting Conflicts?By swmcdermo on November 12, 2007, 11:36 amI can't see companies turning on the very resources they are using to say they are PCI compliant. The merchant doesn't care who they spend their money with - they...
Reply | Read entire comment
RE: PCI compliance mandate's power raises conflict-of-interest questionsBy Andy Wilby on November 9, 2007, 4:09 amThe potential for conflict of interest with the same person selling security equipment who is conducting the audit is poor. The only way around this is independent...
Reply | Read entire comment
View all comments