Section 404 of the Sarbanes-Oxley Act of 2002 requires management assessments of internal controls. At less than 200 words, it is the most complicated, most contested and most expensive part of the monstrosity known as SOX. In those short and terse paragraphs, public companies were somehow expected to quickly understand what actions to take.
The bill was created in part as a reaction to the failings of the auditors at Enron. It is somewhat ironic that SOX also created a massive need for auditors to go back to those companies and audit them for SOX compliance. SOX was also pejoratively called the auditor’s full employment act for that reason.
Moving to the electronic payment space, when the first version of the Payment Card Industry Data Security Standard (PCI DSS) was issued in 2004, it was about 60 pages long and quite descriptive.
At 139 pages and more than 51,000 words, the current version of PCI DSS in version 3.2.1 is quite detailed. Nonetheless, firms and those tasked with PCI compliance still struggle with its implementation. In PCI DSS: An Integrated Data Security Standard Guide (Apress 978-1484258071), author Jim Seaman (full disclosure: Jim is a friend, former co-worker and an original participant with me in the PCI Dream Team webinar series) has written a practical and tactical guide that provides much-needed advice and direction for those charged with PCI compliance.
While the PCI DSS requirements and security assessment procedures are perhaps the most descriptive and prescriptive of any regulation, standard or law, there are still a lot of details and information needed to ensure compliance. The book helps the reader fill in those gaps.
Using his experience in the military, Jim explains many of the PCI and payment concepts with pictures and graphs. As detailed as the PCI DSS may be, many people who are tasked with PCI compliance still struggle to understand the core concepts they are expected to implement.
As a former PCI Qualified Security Assessor (QSA), I spent many a time on a PCI audit explaining to clients the fundamental aspects of credit card processing and security. This is a book they should have read in advance to understand these ideas and requirements.
For those looking for a reference guide to illuminate the myriad details of what they need to know about the standard, PCI DSS: An Integrated Data Security Standard Guide is a helpful resource that will get them there.