Audited to PCI Requirements - a fully PCI compliant organisation?
What loveley techno-bable. PCI has no requirements for you to audit access to customer email addresses (only cardholder data). Although they clearly didn't have an audit trail showing who had stolen this data this would could still be perfectly true whilst they remained PCI Compliant!
However, last summer the wonderful Travelodge website took my booking for the wrong day because when I went back to correct a wrongly enterred card number it changed the booking date to the next available day. Given that logging of all activity relating to taking card payments is in scope for PCI I was rather annoyed when they could not check their web server logs to prove that it was their fault I had booked the wrong day. I wonder if my email to them which cited PCI requirements has led their PR team to fall back on the standard in their press release.
In ten years in IT security - I've yet to come accross a PCI Compliant company - many that say they are, have even been audited as such - but none that actually are 100% compliant. Know any company that actually monitors all changes to all critical files on every server and then correlates these with the approved change record? And then investigates any that don't match as a security incident?
Not diss'ing PCI - by the way - no standard is perfect but PCI is probably more perfect that others - especially version 2.0! So much so that other industries are considering adopting it for protection of their data (e.g. US Healthcare).