PCI and SAS 70 - Mind The Gap?
I am trying to figure out the gap between a SAS - 70 compliant facility/environment and one for PCI. Has anyone done a Gap Analysis on these two? I have my brain wrapped around PCI. Not so much on the SAS 70 piece.
The reason I ask is that I am watching what I believe to be an emerging trend - outsourcing for PCI compliance. In other words, outsourcing the liability (to some extent). The advantage I see to working with a managed services vendor who is SAS-70 compliant AND publicly traded is that auditing is already built into the business operations - it's not a new division, new effort, etc. it's habit. It is something that is already done and is an extension of the business/business model vs. something for them to figure out for me their shiny new customer.
Thoughts?
pcistuff@gmail.com
The reason I ask is that I am watching what I believe to be an emerging trend - outsourcing for PCI compliance. In other words, outsourcing the liability (to some extent). The advantage I see to working with a managed services vendor who is SAS-70 compliant AND publicly traded is that auditing is already built into the business operations - it's not a new division, new effort, etc. it's habit. It is something that is already done and is an extension of the business/business model vs. something for them to figure out for me their shiny new customer.
Thoughts?
pcistuff@gmail.com
posted by Mark Mac Auley at 5:34 PM
1 Comments:
The biggest difference to note is that SAS 70 (and there's two types, Type 1 and Type 2) rely on the CLIENT to provide the controls that will be tested.
If the client doesn't list firewalls as a network control, I can't test it. (and this is with Type 2) Not a good audit, from my point of view.
PCI is much tighter. Don't necessarily rely on SAS 70 results without taking a REALLY good look at what controls are in place.
Post a Comment
<< Home