PCI conference presentation
7 Dec 09: Stephen gave a provocative speech at a PCI conference last week.
Stephen's talk was entitled "An ounce of prevention is worth more than a pound of audit" and gave a critical assessment of the limitations of audit based approaches to fighting fraud. He also gave an overview of newer preventative measures including end-to-end encryption and tokenization.
Audits find problems. Yet an absence of findings is not the same as an absence of problems.
An audit of course is just a snapshot. What we really need to know is whether the organisation’s processes are stable and true between the visits.
Poorly run audits are like the blind leading the blind. All too frequently, audits are purely mechanical, where both the auditor and the company representative are juniors, unfamiliar with the history of the organisation, and each with a “job to do”. Does the organisation really want its problems exposed? Does the auditor really want to find problems? Or are they in fact driven to find arbitrary problems? An auditor who finds nothing wrong can appear to have not done their job!
In the PCI debate, we should have a strong sense of déjà vu. The same methodological limitations and the same false sense of security have been seen before with ISO 9001 quality audits, financial audits, and ISO 17799 IT security certification.