Final round of questions from the field!

The first question from this session was “Are end of life operating systems able to be used?” The thing that really worries me about retail is that information security does not seem to be built into the price of goods on the shelf. When someone asks if they are expected to replace hundreds or thousands of devices for PCI Compliance because Microsoft will not support them anymore, I worry more about the overall security of the company. This seems like a reactive approach without any forward strategy, which is unfortunately fairly common.

I understand the business implications here. If your competitors are not doing this, you could face additional price pressures by trying to do the right thing. That said, I am a firm believer in doing the right thing for the best long term growth strategy.

Next couple of questions are arguments of semantics. It also seems that some of the attendees are not fully using the information provided by the Council. There is the Navigating PCI-DSS document that helps with intent, and the FAQ which answers some of the questions that were asked.

Next one was a compliance versus security question. The point made is valid, but with PCI-DSS being applicable to any merchant accepting credit cards regardless of size, you can’t expect that the merchant with 100 cards per year is going to jump through the same hoops as a Fortune 500 retailer.

Also, it is a bad idea to spend ten minutes trying to show the Council how smart you are about security. They will remember you, and not necessarily in a good light.

Next question was an excellent point on a potential interpretation of 12.8 that will be giving QSAs a headache. I won’t go into it here, but we have to think about intent and use a little common sense.

A question about dates was posed next, but that is answered in the lifecycle document. Also, don’t forget, the card brands are the enforcement arm of PCI, not the Council.

Next couple of questions were just minor questions that any QSA should be able to answer.

Then came a merchant that put forth a story about the work he had to do to maintain his business. Again, folks, you’ve got to build security and compliance into the cost of your product. The one point of his that is valid is that he wants things more prescriptive to avoid variance in QSAs (with applause from a few people at the end). While this is not necessarily achievable, I do think VeriSign might have some solutions for you. If this was you, please email me. We can help you through this on a global scale.

And that concludes the Q/A session!

This post originally appeared on