Tower of Limes, by Darwin Bell

The PCI Security Standards Council released an updated Prioritized Approach document for PCI DSS 2.0 on Tuesday with associated tools and change documentation. I posted about the version of this document made to address PCI DSS 1.2 in 2009, and many of my comments still carry forward with this version. But let me take a moment to refresh the content as more than two years have passed since the original post.

First off, it’s 2011. PCI has been enforced in the US with fines since 2007, and now globally in the last year1. This isn’t our first rodeo, as it were. So what kinds of companies would be interested in using this document?

Companies doing M&A activity might be very interested if they are already validating per the Level 1 guidelines, but would be purchasing someone who does not. Non-US companies would definitely be interested as they are just now starting to feel the pain of fines. Companies meeting the EMV exceptions should also consider keeping this handy as they validate for the first time. The dangers I mentioned last time absolutely still stand. This document takes into account assumptions that may not fit with your organization, so if you find yourself in a position that requires use of this document, remember that you will need to customize it for your own environment. Also, don’t forget that strategies designed to eliminate or outsource payment systems and data will be much more effective than following this document without those same strategies. You don’t have to protect what you don’t store, process, or transmit!

This post originally appeared on

  1. Note that I am mostly speaking about Visa’s Compliance Acceleration Program here as no other payment brand published fining procedures for public consumption, even though I know they have happened prior to the dates listed here. []