filter, by mason bryant

WAY before I started serving my term on the PCI Board of Advisors, someone privy to the conversations once told me that the early discussions had people grouped into two distinct camps:

  • Make PCI DSS more prescriptive and remove gray area!
  • Remove some of the prescriptive nature of PCI DSS to allow people flexibility in meeting the standard!

While I’m not at liberty to disclose conversations that happened two weeks ago, I’m wondering what the folks in the field think about a topic similar to this: should PCI DSS evolve to a stricter standard or more of a framework? After announcing our election to the board, I have had SEVERAL folks from varied industries and backgrounds give me words of encouragement suggesting that security professionals are ready for the standard to add more controls. I suppose this could be for a couple of reasons, one of which being that they are having trouble selling more advanced security solutions to their executives and want the PCI DSS stick to help them out.

My main question to you out there is do you want more stringent PCI DSS requirements, and why? If you decide to comment below (which I hope you do), I’d also love to hear your thoughts on what your employer (or your customers) would say to a more or less stringent PCI DSS as it applies to each entity. For those of you who have been around for a while, think back to the yelling and screaming we heard back in 2005-2008 as companies first started learning about PCI DSS, and then started facing fines for non-compliance. Would we get the same kind of screaming today if more stringent controls were put into PCI DSS 2.x/3.0?

This post originally appeared on

Possibly Related Posts: