At work we’re continuing to chip away at dealing with PCI requirements. There are lots of lessons to be learned from such a project. One of the more painful ones: It is relatively easy to say (and even convince an auditor!) you meet each bullet requirement, but it is difficult to have effective security without improving your staff. There are a number of bullets that involve logging, reviews, and monitoring…things that are driving SEIM/SIM and other industries. But these are also things that security geeks realize really need analysts behind the dashboards and GUIs. Otherwise these products only skim off the very slim top x% of the issues, the very easy ones to detect. And miss a hell of a lot else.