During a recent webinar I attended, a question was asked if PCI compliance was the same as SOX compliance. My experience has been that many in the IT organizations presume they are the same, but there are some very significant differences.
First, SOX is a Federal law and with it comes the enforcement the FBI or other law enforcement agencies.
Auditors use SOX as a guideline and much of Section 404 is subject to interpretation as to how to achieve compliance. I experienced this in 2005 when I worked with 3 different external audit firms engaged to help during my employer’s initial assessment. All had good ideas, but there was a difference in the viewpoints.
The Payment Card Industry Data Security Standard (PCI DSS) is not a law, but rather a contractual standard, requiring participating merchants, banks and credit card processors to comply. Credit card companies can change it at will; enforce it as they choose, with no appeal process.
The volume of credit card transactions will determine audit requirements and any credit card transaction is in scope, including pen and paper. Financial sanctions are steep for failure to comply and may even deny a merchant status to process credit cards. This is a risk to a merchant’s reputation and to their ability to execute sales transactions.
PCI compliance audit is also different. The processes and data in scope for review are different than SOX audits. The PCI Security Standards Council has done a great job in providing a detailed audit process. It is very specific and straight-forward. You can download it from their web site at https://www.pcisecuritystandards.org/security_standards/documents.php.
No comments:
Post a Comment