Some will describe the auditor who came in and started faulting their controls without first taking time to understand the specific business dynamics the controls were designed to address. Others will lament that their auditor required them to to attain a passing compliance grade.

Robert Duran and Allan Kintigh have endured the auditing process, but one man's experience was more unpleasant than the other's. Nevertheless, each has come away from it with a solid security program.

Duran is information security and privacy officer at ., the New York-based media giant of 10,000-plus employees. Under PCI DSS, Time is a level 1 company, which means it processes more than six million credit card transactions a year and is subject to an annual on-site audit and quarterly network scans performed by an approved vendor. [Level 2 and 3 companies process 20,000 to 6 million credit card transactions a year and must fill out an annual self-assessment questionnaire and have an approved vendor do quarterly network scans.]

His experience is that the auditors often don't know what they're talking about.

Kintigh is a software engineer with Minnesota-based National Bankcard Services, a payment card transaction processor with fewer than 20 employees. Though tiny compared to Time Inc., the company is still level one because it too processes more than six million credit card transactions a year.