It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona.

Y2K, by Nancy Wombat

From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early 2007 prior to the Visa CAP enforcing fines. Some of my favorite discussions around PCI DSS are helping companies that are just starting to explore the complex standard.

Square 1, as it were.

I was on the phone with representatives from a company this week where someone asked me how serious PCI DSS was, and if it would end up being another Y2K ((Meaning, HYPE HYPE HYPE HYPE HYPE HYPE fizzle.)). I had never thought of it that way, but the parallels between how we solved the Y2K problem and how many companies approach PCI DSS are very interesting.

Those in the industry that lived through the compliance scrambles of 2007-2009 remember that companies often struggled in year two, because they forgot that PCI DSS was a continual process, and not just some one-time project like Y2K was. All the controls that were put into place and validated either disappeared or were neglected. Big examples of this include quarterly scans, daily log reviews, and change control tickets.

For those of you taking on this task today, do yourself a favor and treat it as a journey, not a project.  PCI DSS is a process of continuous improvement and a constant reminder of the war that we face with the bad guys. Celebrate your victory of crossing the first mile marker when initially achieving compliance, but don’t forget there are many more miles to go.

This post originally appeared on

Possibly Related Posts: