There's a good rant at informationweek on PCI.
"The Heartland Payment Systems breach
demonstrates that PCI is bunk. Unfortunately, unless something better
comes along, bunk is better than nothing.
The PCI compliance program is like a Zen koan: it's a proposition
that can't be understood rationally. Unlike a koan, however, pondering
on PCI won't eventually lead to higher awareness. It will just drive
you crazy.
Consider this statement from Visa regarding PCI assessments.
Assessments "do not guarantee that those security controls remain in
place after the review is complete."
In other words, a company is only compliant with PCI's security
standards during the time of review. Once the assessors leave the
building, all bets are off. So, PCI wants to enhance the security of
payment account data, but it will only validate that enhancement within
the limited time period of a review."
Read more: http://www.informationweek.com/blog/main/archives/2009/01/pci_is_meaningl.html
