Step into the way-back machine with me and let’s turn the dial to 2000. What a glorious time that was! We were at the peak of what would soon be known as the DotCom Bust((Although poor corporate accounting practices had a hand in this one as well.)). Information security was this fledgling group in most companies that was called to clean up virus outbreaks.

Then we weathered the storm. Markets crashed, IT budgets were slashed to the bone, and security professionals suffered too. We fought hard for every single dollar that came our way, yet we still were playing catch up.

Cycling with Training Wheels, by paulhami

Now let’s forward to December 15, 2004, when the first release of the PCI DSS made its way into our hands. Those of us in the industry had been working under the Visa CISP and MasterCard SDP programs which looked very similar to the standard and SAQ. The difference this time is that there was one single body that covered all payments for all major brands, globally.

But something else needed to happen before sweeping changes in payment security could occur. I liken it to a man sitting in his favorite chair at his house. If you want him to move, you have to make him so uncomfortable, or even painful, for him to remain in his chair. CFOs fought PCI DSS because they saw it as a sinkhole that couldn’t be filled. Millions of dollars were needed to bring most companies into compliance with PCI DSS, and in this case information security would be a byproduct of the effort.

Now 2007 comes around, and merchants start to feel the effects of the Compliance Acceleration Program—another gentle nudge by Visa. Companies that chose not to validate compliance finally had a financial incentive (or enough pain) to move out of their comfortable chair and put some training wheels on their information security programs. It still cost millions of dollars, but it was now seen as a need to have vs. a nice to have—driven by PCI DSS and the fear of failing an assessment.

Now Visa has implemented the Technology Innovation Program (TIP). A big incentive to participate is the ability for merchants to forgo their assessment process if they meet certain requirements—one of which is upgrading their infrastructure to support dynamic payment methods such as EMV and contactless payments. After all of the good security things (albeit begrudgingly) that PCI DSS did for security, now it looks like it may become less relevant as merchants upgrade their infrastructures under the TIP((Keep in mind, the TIP does not remove the burden of complying with PCI DSS from a merchant, it just removes the burden of validation. If you have a breach, and are found not to comply, it will be painful for you.)).

With the information security training wheels of PCI DSS soon to be removed, it’s time for information security to stand on its own, and not as a byproduct of a compliance stick. Do you think that the TIP will reduce the impact of PCI DSS, and ultimately weaken the information security programs for companies required to comply? If so, what will you do to ensure you can sustain and improve the current state of information security in your enterprise?

This post originally appeared on