The PCI DSS process is about to get more complicated and compliance is going to be harder to obtain – and frankly that’s a good thing. Moving compliance efforts closer to real security efforts benefits the protection of data. Making compliance something to obtain, and not simply purchase, will create ownership and buy-in in the compliance process. Buy-in often leads to understanding which in turn can lead to valuing the effort and target outcome.
I look forward to seeing a few more teeth added to the PCI DSS, even if it takes the creation of a little kicking and screaming by the FTC.