There is a big difference between being PCI DSS compliant and being “certified” as PCI DSS compliant, says e-commerce expert Evan Schuman of StorefrontBacktalk.com in this edition of the IT Compliance Advisor weekly podcast. Because audit results can sometimes be subjective, the results could mean that some retailers may not really be compliant even though someone says they are, he says.
The PCI DSS specification is under fire for enabling such ambiguity. The House Committee on Emerging Threats, Cybersecurity and Science and Technology recently held a hearing on PCI and concluded that it has been inadequate in stopping credit card transaction data leakage. The administration of PCI DSS by credit card giant Visa is one reason, Schuman says. Find out more in this podcast.