I wrote in the last post about the importance of education in mitigating risk. I teach, literally, thousands of people around the world about PCI every year, and speak with even more people online and offline. Even those who feel well versed in compliance and security have something to learn when we talk, because the problems we are trying to solve are not trivial.
There are over 370 people in the PCI Forum posting thousands of threads about the nuances of compliance. This is not to say that compliance is impossible. As long as you take a risk based approach to meeting the intent of the requirements it can be rather simple. The problem is, it takes understanding how systems are compromised (specifically within the payments industry) to understand how to protect them.
On this note note, I really enjoyed reading about the One Laptop Per Child (OLPC) Bitfrost security architecture, designed by Ivan Krstić.
I constantly preach the following topics:
I’m happy to hear that others, such as Martin McKeay, also agree that compliance there is no single solution to compliance. Compliance is more than the sum of it’s parts - the gestalt of PCI compliance is specific to each organization and encompassed the risk mitigation, specific to that companies business operations, as they work to protect cardholder data.
“There is no list, no resource to refer to, no silver bullet for compliance and despite many marketeers’ wishes, there probably won’t be.” - Martin McKeay
Popularity: 28% [?]
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
