See Full Story
Folks in IT tend to ask a lot of questions. We're a curious breed by nature. In fact, we have to be. Change comes about so quickly in our industry, technology moves so fast, and our businesses adapt so fluidly that we have to ask questions just to keep up. Some might even say that a healthy curiosity is the hallmark of a successful IT professional -- and I wouldn't disagree. So when I'm in the field and an IT professional has a question about some specific technology, about some new regulation, or about their information security program, it's not usually cause for comment.
Ed - good write up. It's interesting to note that many of the recent breaches have occurred at companies that achieved PCI Compliance, highlighting that compliance does not equal security.
Merchants that get breached can face significant financial, business and PR consequences so it's an important distinction to make.
Here is a blog post I wrote about the details of PCI levels, self assessment questionnaires, etc. http://www.braintreepaymentsolutions.com/blog/pci-compliance-basics-for-credit-card-secuirty/
PCI is what happens when you take a bunch of suits and put them into a room and tell them to read a bunch of textbooks on how secure systems should be put into place.
PCI does very little to actually make systems more secure and on top of that the requirements are so onerous your left with a system that's horrible to work with.
After the company I worked for passed a PCI audit last year I'm left with a set of back end servers without external internet addresses that I'm stuck tunneling in to install security updates.