PCI DSS Compliance Advice for the Security Practitioner

the background

The implementation of a PCI DSS compliance program can seem like a no-brainer to the Seasoned Security Person™ who's been saddled with (or taken on!) such a challenge. That may very well be the case, but there are some caveats which have little to do with the technical aspects of security. I hope the below will serve to save someone the (ahem) "novelty of discovery".

Note that this list will change over time as my experience with DSS compliance programs evolves.

the starting premises

the bullet list

in conclusion...

So, there you have it. Your technical chops may be top-notch, but unless you consider the non-technical aspects of such a compliance program (buy-in, funding, governance), you're likely to find yourself in the weeds. Symptoms include, but are not limited to: elevated blood pressure, rash, spirit voices demanding that you do unspeakable things, sleep-writing letters of resignation, etc.