Monday, January 08, 2007

What is the next step after a PCI audit?

I am posing a generic question to see what the next logical step is for an organization. I have been thinking about a few scenarios and here is what I came up with:

1. Send the findings up the food chain to management and let them decide how important actually fixing it is and wait for orders.

2. Make your bones by actually having a solution in your hip pocket to address the holes in the audit and take it from "Here's how broken we are" to "and here is how I think we should fix it".

3. Outsource everything entirely, only there is no one to my knowledge willing OR able to assume the liability of non-compliance, at least from a technology standpoint (but what a business), although the technology exists.

4. Do nothing and see what happens. AKA roll the dice, AKA 'We're to small', or 'We just spent $100,000 on security last year, we'll be fine'.

What are YOU seeing? I am guessing #1 and #4 are getting a lot of consideration.