TheFault (6/15/2016)
Having worked at a company who are supposed 'industry experts' in data security, I can tell you it is no better behind closed doors at such places. PCI audits were laughable; weak auditors accepting straight yes or no answers with no explanations, or at best 'very carefully selected' evidence to suit whichever scenario as proof of controls and measures in place. The main problem as I saw it is the auditors have zero knowledge of the hardware/software they're auditing and in most cases aren't allowed to actually see any systems due to data protection wheeled out as an excuse... :blink:
Completely agree. I'd like to see auditor's findings be more transparent, and certainly, insurance companies requiring better security.
Unfortunately, I think the PCI group and members are happy to allow a certain level of fraud because their profits allow for it.