Collegues of me are working in the PCI area as well. The bad thing about these checks is that anyone can run a 'tool' and present it's report. Taking such a report apart to tell the real problems requires in-depth knowledge and time. Both is expensive and therefore omitted in many cases.
But as a collegue said: 'Compliance check are not intended to make you happy, but to make the auditors happy.'
|