Archive for January 24th, 2010


The Great PCI Debate

If you have a chance, download a copy of this podcast.  There are two parts plus a transcript and it is well worth the effort.  I would like to thank Bill Brenner and Martin McKeay for having the foresight to get together a panel of people to discuss this topic.  I would also like to thank the panel for providing probably the best discussion yet of the pros and cons of PCI.

  • Jack Daniel, a member of the National Information Security Group (NAISG)
  • Ben Rothke, senior security consultant for BT Global Services
  • Dr. Anton Chuvakin
  • Ward Spangenberg, a Seattle-based security consultant
  • Michael Dahn, a PCI QA manager and director for the InfraGard National Members Alliance (INMA)

Based on my interpretation of the podcast, here are the take aways that I got from listening to this great discussion.  Interestingly enough, some of them may sound very familiar.

  • Security is not perfect.  There will always be a risk no matter what you do.
  • There will always be organizations that just do not get it and never will.
  • If controls are not consistently implemented, maintained and monitored, then your security measures will not matter.
  • The PCI DSS is common sense not rocket science.
  • The PCI standards are not perfect, but they are better than nothing.
  • The PCI standards are a bare minimum and you must go beyond them to better ensure security.  However, if you can consistently execute the bare minimum, you are ahead of the curve.
  • Most Level 2, 3 and 4 merchants are clueless about security let alone the PCI standards and will likely remain targets.

For reference, I have put in links to those relevant postings that I made on similar topics over the last year.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

January 2010