Reply to post: Re: I bet it's even less in reality...

Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard

Anonymous Coward
Anonymous Coward

Re: I bet it's even less in reality...

The problem is that the questionnaire is set up to where you have to answer "yes" on everything to pass. A single "no" means that you fail.

I work in IT security. I hold several IT security certifications, and have over 25 years of experience in IT. I can honestly say that it is completely unrealistic to be able to answer "yes" to 100% of the questions on the PCI questionnaire.

You read the thing, and keep thinking to yourself, that this must have been written by a group of Academics that have never worked in an actual business and have met real human beings.

The only way to answer "yes" to 100% of the questionnaire would be to close the business and lock up all of the servers in a vault somewhere. This is where the "clicking yes to everything" (the AC above mentioned) comes from.

I do completely agree with the spirit of what PCI DSS is trying to do. And I agree that as much as 90% of what is being asked is essential to security. The problem is the 10% that is not going to happen in most operating businesses.

I will also point out that most of the major breaches of credit card information happened at companies that were PCI Level 1 compliant at the time of the breach. That one fact right there shows what a useless exercise PCI really is.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon