Directed to lie/mislead about about PCI data security compliance at work?

Question by Jameson: Directed to lie/mislead about about PCI data security compliance at work?
I am the lead network administrator for a company that takes credit cards via the web and phone for large Fortune 500 customers. Since a lot of our clients are publicly traded companies or financial institutions they often require us to be PCI compliant (security standard to help prevent credit card fraud). http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

As it relates to me being a network admin we have to secure our physical network externally as well as our web-based credit card processing sites at an application level. Right now our web sites cannot pass the PCI external scanning requirements. If we or a third party run a test scan against them they fail several key measurements of security due to bad coding, etc. If I tighten down the security to get it to pass the test, it will;, however, the sites wont work for even placing orders! lol

Thats the problem – the IT Director and CIO are under a lot of heat to get us PCI compliant, but honestly they are just really bad managers on the whole and give little communication/direction to their employees. My boss (IT Director) had be tighten down the security just for a 3rd party PCI auditor to do a external scan so it would show passed then we had to immediately turn it off since these tighter security settings take down our sites. Now they are running aroudn the company broadcasting how we are meeting these security standards and telling all of our clients we are PCI compliant, but I know damn well today we are not. Through proper planning, testing, and execution yes we could be and most people could, but as you can see this did not happen.

My big issue with this from a moral standpoint is I was instructed to partake in what I consider to be a dishonest act. In business and sales I am fully aware that the truth sometimes has to be bent to a near breaking point to accquire business, but the way this played out leaves me with a guilty concious. Both people internally and externally are going to be lied to and have been already. Can we become legitimately PCI compliant? Yes….. but not like this. Now that they got their passed scan in no one but me really even cares are truely becoming compliant.

I think if we were a publicly traded company this would be illegal, but we are a private company. I fear if I take this to HR I may get fired by these same bosses. Since we are an at-will state for employment and I cannot tell this is breaking any federal law then I would have no action against them.

Please advise!

Best answer:

Answer by Let me steer you
Find another place to work. If you get in bed with con artists, you’ll wake up in the clink. When they get caught, they’ll blame it all on you and say you were the lead network administrator and it was your job to insure the network was PCI compliant.

Eventually, someone will steal and use a bunch of credit card numbers from one of your sites, and then you will be the one in the hot water.

Find a reputable place of employment.

Know better? Leave your own answer in the comments!