I think one of the biggest problems with the PCI DSS is that the PCI SSC chose to use the word ‘Standard’ in its name and proscribed that they are a standards setting body. The word standard is defined by Merriam-Webster’s Dictionary as “something established by authority, custom, or general counsel as a model or example.” Standards dictate what someone or something should do in a given situation. Look at the IEEE for example. They are a true standards setting body and the standards they issue are very proscriptive. You are not to vary from the IEEE standard without becoming non-compliant.
When you look at the PCI DSS, it is more of a framework than a standard. A Framework is defined as “a basic conceptual structure.” Frameworks document boundaries as to what are acceptable for addressing particular problems but do not proscribe specific solutions. In my opinion, the PCI DSS is more of a framework, not a standard. I think that is why a lot of people and organizations struggle with complying with the PCI DSS. If it were a true standard, then it would tell them exactly what and where to do everything.
That is the problem with security. One size or solution does not fit all. What works in one situation, may not work in another situation. Even in the same organization, you can have different security solutions for the same problem. Over time, while an original solution may be working fine, a newer solution will be implemented to resolve a similar situation because either the original solution is no longer available or it has changed and is no longer viable for the new requirement.
So let us stop getting hung up on the word ‘standard’ and move on. The PCI DSS is not a standard it is a framework. A framework that is a baseline of what, at a minimum, is required to protect cardholder data. If you can execute the framework on a consistent basis, then you will be ahead of the game. If you cannot execute on a consistent basis, then you should do everything you can to not store cardholder data.
PCI Guru 