Andrew Conry-Murray of Information Week writes:

Bottom line, PCI compliance is mutable. While a compliance certification is valid for one year, a retailer may perform actions, or fail to perform actions, that take it out of compliance. On the one hand, this is sensible. PCI rules are like the dietary guidelines a doctor issues to a patient. It’s not the physician’s fault if someone with through-the-roof cholesterol ignores advice and eats like Homer Simpson.

Could I have said it better? PCI? Program not Project? Homer Simpson? I think not.

This is the reason why we created the PCI Program Management offering at VeriSign. This helps customers maintain compliance, and get management confidence that they are compliant every day.

Oh yeah, and don’t forget, all QSAs are not created equal!

This post originally appeared on