Have you all seen the ‘sneak peek‘ yet?
I have to admit, that with 3 YEARS to accept and process feedback, I was hoping for a little more in the way of progress. I’m optimistic that way, but I really should have known better.
Many changes were proposed, lots of the them good, some of them naive and bordering on the comical, but any that made it through are so watered down as to be virtually irrelevant. And we won’t get any more for 3 more years?
The standard is already behind the times, and is only going to become more so if it does not keep up with payments innovation, and show a better integration with the needs of the business. i.e. STAYING in business.
I have taken the table of changes out of the SSC’s document and added my own thoughts. Unfortunately they are overwhelmingly negative, and at times my frustration is clear. Go here if you want to download it.
I do however want to make it clear that I’m not against the PCI DSS as much as I appear. No standard has raised security awareness as much before, or since, and it’s the only one that puts its money where its mouth is. While there is still some vagueness and room for interpretation, it’s a damned-sight better that just saying ‘use appropriate security based on good practices’ like most do.
The reason I stick to the negative is I’m assuming the positive is self evident, and all I really care about is addressing the gaps to where it should be. As Ego says in Ratatouille; “In many ways, the work of a critic is easy. We risk very little yet enjoy a position over those who offer up their work and their selves to our judgment. We thrive on negative criticism, which is fun to write and to read. But the bitter truth we critics must face is that, in the grand scheme of things, the average piece of junk is more meaningful than our criticism designating it so.”
This applies every bit as much to my blogs.
I have only addressed the PCI DSS stuff, PA-DSS is not my thing. If someone wants to take a stab at that, I’ll be happy to post it here as a guest blog.