I’ve long been able to identify an rss feed in my news that dealt only with PCI and be able to quickly skim it or remove it from my feeds. “PCI doesn’t really affect me, although I should stay aware of it.” Ok, I know that’s not true, I do need to know it, and this year that becomes more obvious. Our company has a soft goal of becoming PCI compliant. And, yes, it is driven by a large client who requires it.

In that light, I’ll still have to keep up to speed on PCI nuances and Q&A posts. Walt Conway over on the PCI DSS News and Information blog recently posted his top 10 myths about PCI DSS (part 1 part 2 part 3).

“And if we were compliant at that moment, we are still only one system change away from being non-compliant.”

And on the myth that “PCI is inflexible with unreasonable technical, security, and business requirements,”

I hear this one a lot, and I do not agree. Nothing in PCI is not already a best practice (so much for being unreasonable), and there is the option of a compensating control for any requirement (so much for inflexibility).

I feel that PCI is tough when a) the business doesn’t know what the business is doing (processing cards) or b) thinking about and doing security is way behind.