If you have a chance, download a copy of this podcast. There are two parts plus a transcript and it is well worth the effort. I would like to thank Bill Brenner and Martin McKeay for having the foresight to get together a panel of people to discuss this topic. I would also like to thank the panel for providing probably the best discussion yet of the pros and cons of PCI.
- Jack Daniel, a member of the National Information Security Group (NAISG)
- Ben Rothke, senior security consultant for BT Global Services
- Dr. Anton Chuvakin
- Ward Spangenberg, a Seattle-based security consultant
- Michael Dahn, a PCI QA manager and director for the InfraGard National Members Alliance (INMA)
Based on my interpretation of the podcast, here are the take aways that I got from listening to this great discussion. Interestingly enough, some of them may sound very familiar.
- Security is not perfect. There will always be a risk no matter what you do.
- There will always be organizations that just do not get it and never will.
- If controls are not consistently implemented, maintained and monitored, then your security measures will not matter.
- The PCI DSS is common sense not rocket science.
- The PCI standards are not perfect, but they are better than nothing.
- The PCI standards are a bare minimum and you must go beyond them to better ensure security. However, if you can consistently execute the bare minimum, you are ahead of the curve.
- Most Level 2, 3 and 4 merchants are clueless about security let alone the PCI standards and will likely remain targets.
For reference, I have put in links to those relevant postings that I made on similar topics over the last year.