Please don’t take the title to mean that Dave doesn’t get it right often, I just wanted to laud this recent column at StoreFront BackTalk. The quote specifically that drives the nail home is:

If you’re thinking that the Hannaford security breach is a very isolated “blip” and that PCI compliance is the same as securing the enterprise against security breaches, you’d better think again. Why? It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Could not have said it better myself, Dave. The two points he brings out are, 1) Compliance is not the same as security, and 2) you have to MAINTAIN what is assessed.

I had a conference call today with a prospective customer that was really interested in beating the standard by focusing on security. It was refreshing! Most customers say “Just tell me the minimum I have to do to get the check mark.” Gold star for point numero uno.

On the second, I’ve mentioned before how important maintaining compliance is. We even created a service around it. But actually doing something just for the assessor to see, and then undoing it? I really hope that is not happening. Just going through the motions does not do you any good.

This post originally appeared on