Comments on "Views regarding PCI compliance are mostly positive"

A few comments and observations regarding Views regarding PCI compliance are mostly positive

Most IT security practitioners believe...

Sure, they are the ones for whom work is being generated by PCI! :) A survey of business owners/CEOs would be much more interesting.

A majority of survey respondents were "very confident" they could
pass an assessment today.

Hmm....these respondents need to read the Verizon 2010 Payment Card Industry Compliance Report: http://www.verizonbusiness.com/go/pcireport where 78% were non-compliant at IROC. My experience also is that organizations are not nearly as compliant as they think they are. They tend to make assumptions without actually reading the requirements.

The card brand, however, reports only "moderate" compliance for smaller retailers.

I bet that is putting it mildly!

"The people and education is a big issue that maybe is more
challenging to address than just putting a technology in place,” Kost
said.

Definitely! We were just discussing this very issue on here...attitudes are hard to change.

Needing to upgrade antiquated systems to bring them into
compliance is the second greatest pain point...

Ditto again. I have a client running Fedora Core 3 systems (not necessarily in the CDE) with so much stuff all on one system (against best practice and a violation of PCI if in scope) that it has been nearly two years and we still have not been able to move/upgrade it!

Dan Langin, a Kansas lawyer who advises clients on PCI
compliance, told SCMagazineUS.com on Wednesday that organizations
commonly have challenges with the step that requires they maintain a
policy that addresses information security.

I'll have to remember that name. Never before ran into a lawyer who specializes in PCI.

This requirement is somewhat objective and it can be difficult to
determine whether the organization is actually in compliance, he
said.

And I think he means subjective, not objective... And this is the point where one of my clients is currently stuck. They have most of the technical requirements met but need to do some documentation and education of policies.

The cost to achieve PCI compliance is often tied to an
organization's size, with larger companies spending more than their
smaller counterparts, Kost said. Sixty-two percent of all respondents
said they have spent at least $100,000 on compliance over the past
five years.

It is also tied to "technical debt". If you have a very messy environment with interdependencies all over the place running on systems which have been EOL for ages it is going to cost a whole lot more. Such is the case with the Fedora Core 3 client above.

Most organizations plan to increase PCI compliance spending in
2011, with some organizations planning to invest in technologies that
allow them to comply in virtualized environments, according to the
survey.

What sort of technologies would they need to allow themt o comply in virtualized environments? The virtualization container is to be secured to at least that of the highest level virtual machine running in it.

Meanwhile, 60 percent of respondents said they are using another
emerging technology – point-to-point encryption (P2PE), sometimes
referred to as end-to-end encryption

I would hardly call P2PE an merging technology. VPN, SSL, etc. which we have had for many years now are P2PE. I think the innovation here is in having it built into a PED.