Thursday, March 15, 2007

PCI and SAS 70 - Mind The Gap?

I am trying to figure out the gap between a SAS - 70 compliant facility/environment and one for PCI. Has anyone done a Gap Analysis on these two? I have my brain wrapped around PCI. Not so much on the SAS 70 piece.

The reason I ask is that I am watching what I believe to be an emerging trend - outsourcing for PCI compliance. In other words, outsourcing the liability (to some extent). The advantage I see to working with a managed services vendor who is SAS-70 compliant AND publicly traded is that auditing is already built into the business operations - it's not a new division, new effort, etc. it's habit. It is something that is already done and is an extension of the business/business model vs. something for them to figure out for me their shiny new customer.



Blogger Arian Eigen Heald said...

The biggest difference to note is that SAS 70 (and there's two types, Type 1 and Type 2) rely on the CLIENT to provide the controls that will be tested.

If the client doesn't list firewalls as a network control, I can't test it. (and this is with Type 2) Not a good audit, from my point of view.

PCI is much tighter. Don't necessarily rely on SAS 70 results without taking a REALLY good look at what controls are in place.

10:01 AM  

Post a Comment

<< Home