PCI DSS is for the environment processing , transmitting & storing Card Holder Data .
What if any of the business cannot mitigate a GAP , how do you tackle such problem as an Assessor ?
Work along with such Customer to define a Compensating control for the primarily deficient Control . Measure the risk level prior & post implementation of such control , if the risk has reduced to some level , to what level ? , is the risk now at the acceptable level ? . Implement additional control to monitor to ensure risk is mitigated to meet the base requirement . Ensure secondary controls together meet the rigor of primary control .
Having a Gap in the understanding on certain Technology or the Technical Controls leads to compromise on the quality of Assessment .
Yes absolutely , its very important for Assessor to develop the required minimum skills around the technology within the scope of the assessment to be one of those good Assessors/Auditors , this is one of biggest issue & the challenge right now in the Industry to be very straight & honest here . I personally have seen stories being written very far away from the requirement & the reality .
Even though the standards are very directive & descriptive in nature , but an Assessor should not just blindly follow it line by line , one need to apply the best of his skills & knowledge to be able to reason upon before drawing any conclusions .
Its very important for all of us to work towards bringing the best , to be able to create a world which is secure & safer for all . Keep working to follow continuous Improvement cycle process . I recommend to use Capability Maturity assessment Model on individuals first & then towards the teams & organisation to understand the GAP's to be able to move forward …..