Nov01
I have received the go ahead from the Marketing people over at the PCI Security Standards Council to interview Bob Russo, the PCI Council’s General Manager (I met him at the PCI mini-seminar I blogged about). Since I haven’t been into podcasting for a while, I am going to go down the Cutaway path and send him a series of questions via a Word doc. But I thought it would be cool for a lot of the questions to come from my readers. BTW, the final interview will be posted on my Computerworld blog.
Soooo, if you are interested in PCI and want to ask THE MAN some questions, please send me questions at questions_at_infosecplace.com or my contact page.
Vet
Jeremiah,
Great questions. I will add them to the list.
Michael
I got some…
1) Websites are publicly exposed all the time for having XSS and SQL injection vulnerabilities, both of which are not supposed to appear on certified websites according to the standard. When/If this happens on a PCI-certified website, is the website still be considered certified after the point of disclosure?
2) Let’s say the exposed vulnerability was found to have been missed during the last PCI audit/scan (no fault of the merchant), does the QSA or ASV who certified the website potentially risk any PCI Council disciplinary action? What if this becomes a pattern rather than a one-time event? Has any type of vendor disciplinary action been levied before?
3) Is it the PCI Council’s position that merchants who are PCI certified are “100% secure” against the compromise of cardholder information? If not, then are PCI-compliant merchants free from liability and further disciplinary action (fees, etc.) if an incident were still to occur?