Reply to post:

Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard

stiine Silver badge

The problem is that they have to scan your production environment, and if you don't have two of them, they you risk their scan destroying that environment. This is because you are allowed to instruct them not to exploit the vulnerabilities that they think they've found. If they were required to exploit vulnerabilities as part of the external scan, every company would need 1/3 more (assuming prod, test, dev environments) resources (ip addresses, hardware, software, etc) in order to allow one environment to be broken during the audit. If you want the cost of everything you buy to go up by 20% (before taxes), push for this change to PCI.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon