If you have a chance, download a copy of this podcast. There are two parts plus a transcript and it is well worth the effort. I would like to thank Bill Brenner and Martin McKeay for having the foresight to get together a panel of people to discuss this topic. I would also like to thank the panel for providing probably the best discussion yet of the pros and cons of PCI.
- Jack Daniel, a member of the National Information Security Group (NAISG)
- Ben Rothke, senior security consultant for BT Global Services
- Dr. Anton Chuvakin
- Ward Spangenberg, a Seattle-based security consultant
- Michael Dahn, a PCI QA manager and director for the InfraGard National Members Alliance (INMA)
Based on my interpretation of the podcast, here are the take aways that I got from listening to this great discussion. Interestingly enough, some of them may sound very familiar.
- Security is not perfect. There will always be a risk no matter what you do.
- There will always be organizations that just do not get it and never will.
- If controls are not consistently implemented, maintained and monitored, then your security measures will not matter.
- The PCI DSS is common sense not rocket science.
- The PCI standards are not perfect, but they are better than nothing.
- The PCI standards are a bare minimum and you must go beyond them to better ensure security. However, if you can consistently execute the bare minimum, you are ahead of the curve.
- Most Level 2, 3 and 4 merchants are clueless about security let alone the PCI standards and will likely remain targets.
For reference, I have put in links to those relevant postings that I made on similar topics over the last year.
PCI Guru 
Point – counter point
* Security is not perfect. There will always be a risk no matter what you do.
BUT, when you are compromised we will act stunned and throw you under the bus claiming you should have done more.
* There will always be organizations that just do not get it and never will.
BUT, we won’t make a distinction and define rules and regulations that assume all merchants and processors don’t get it. It makes it easier to throw you under the bus when a breach occurs.
* If controls are not consistently implemented, maintained and monitored, then your security measures will not matter.
* The PCI DSS is common sense not rocket science.
BUT, many of the items that can result in non-compliance do nothing to add security to system.
* The PCI standards are not perfect, but they are better than nothing.
BUT, we make statements that it is the perfect solution and if you are breached it is obvious that you did not follow all of the imperfect rules.
* The PCI standards are a bare minimum and you must go beyond them to better ensure security. However, if you can consistently execute the bare minimum, you are ahead of the curve.
BUT, no matter what lever you maintain, if breached watch out for the bus.
* Most Level 2, 3 and 4 merchants are clueless about security let alone the PCI standards and will likely remain targets.
BUT, we sure want you level 2, 3, and 4 merchants to continue accepting our insecure payment product.