I like the idea. But isn’t it a common complaint that at a company there are very few people there that really have a wholistic view? That it would be as hard to bring a regulator in to inspect as it would be a new hire?
Compared to engineering where you often see the same things from job to job.
While PCI is its own bag of worms, part of the certification process is to describe the architecture to an outside auditor. It's annoying and companies can (and will) complain all they want, but without meeting that requirement, the company can't say they're PCI compliance. Which they want to be. So they meet that requirement.
Compared to engineering where you often see the same things from job to job.
reply