OK folks, bring on the love.  Ready?  I’m going to stick my neck way out there.

PCI is easy.

*GASP*

OK, taking a company that ignored security (or only focused on one particular element of a good security program) to compliance is hard, painful, and will result in lots of kicking and screaming and other tantrum like actions.  Why?  See this post.

But take PCI DSS on the surface.  It’s prescriptive (potentially overly so in some cases), it is based on a good, common set of security practices that, quite frankly, you should already be doing, and its impact to your organization can be limited dramatically depending on how you approach it.  If you look at the high level twelve requirements for PCI, all of them map into ISO27002 standards. Want to know what an assessor will ask you, or exactly what you have to do to comply with a particular requirement?  Read the testing procedure!  It’s right there!

Social Media KISS, by Search Engine People Blog

Social Media KISS, by Search Engine People Blog

One of the issues customers and industry folks have with PCI is they will pick one particular area of PCI and latch on to it as a problem. “I can’t do PCI because of X,” or “Y is TOTALLY insecure…. if I do Z, I am more secure but not compliant?”

Sometimes these conversations come from people who simply do not want to go through the effort of PCI DSS and are trying to delay taking any action to resolve a gap.  Maybe they think if they delay it long enough, they will be promoted out of the job, and it will be someone else’s problem.  I once had a (former) customer tell me he could not wait to be done with PCI so he could get back to security.  What this gentleman didn’t know is that PCI was the only thing delaying him being pwned because his security was so poor.

I think if the folks screaming about PCI would stop for just a second and take a look at the item for which they scream1, they would realize that (in most cases) good security practice tells them to do the same thing!  If we are truly security professionals, or if we care about security at all, shouldn’t we focus on improving security in our companies?  The answer is Yes, and if the method by which we motivate our companies is the stick of PCI, why not use it?

This post originally appeared on BrandenWilliams.com.

  1. ain’t ending in no preposition here, baby!  YEAH! []