Problem solve Get help with specific problems with your technologies, process and projects.

Should PCI DSS auditors be subjective?

In this expert Q&A, security pro Mike Rothman discusses whether or not a PCI DSS audit should be subjective.

How subjective is a PCI audit? Does the scope of a PCI audit make it more difficult for an auditor to be subjective?
Every audit, in some way shape or form is subjective. The reality is it needs to be. If you are looking simply for an automaton to go through a checklist and give you a clean bill of health, you are missing the point of the audit.

Most people fail to realize that audits can and should be a productive experience that not only helps an organization learn what it needs to do better, but also provides some perspective on best practices and other techniques that can improve the information security posture of an organization. The auditor sees far more than you do, so this person should be treated as a resource.

I would encourage my auditor to use his or her subjective opinion of my environment to help me improve my security. And given the wide-ranging nature of different technology environments, it's not possible to define regulations tightly enough to remove subjectivity.

If we are talking about PCI DSS specifically, let's take its first requirement -- "Install and maintain a firewall configuration to protect data." How is that anything but subjective? The auditor will ultimately be the one who defines what an acceptable firewall configuration should be. PCI DSS's third requirement -- "Protect stored data," is similarly nebulous. As you dig into the details of each requirement, there are more specifics detailing what each requirement means, but there is wiggle room -- there always is.

So the bottom line is that an audit, even a PCI DSS audit, is going to be partially subjective. Keep that in mind as you gather you data and go through your audit.

For more information:

  • In this tip by contributor John Kindervag, learn the five biggest misunderstandings about PCI DSS.
  • Learn how PCI DSS compensating controls can help corporations build a strong security program that appeases both examiners and security pros.
  • This was last published in July 2007

    Dig Deeper on PCI Data Security Standard

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.