The PCI council has a couple of fact sheets on their site that have some useful information, but it is, by nature, rather generic. There are some really good points discussed, however. Particularly, there is a document called ‘Ten Common Myths of PCI DSS’ which is freely available for download :

https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf

There are some really interesting points in this document for retailers and I’m going to quickly (I promise) make a few comments about each point in a series of posts. Myth #1 after the jump:
MYTH 1 - One Vendor and Product Will Make Us Compliant

OK. This is a good first myth to discuss - back when I was working with retailers to put funding solutions together for POS investments, the big push was to make sure that the POS software was PCI certified (most of the existing vendors were struggling through the changes at the time). The retailers were all over the software vendors to be compliant and seemed to rest all of their hopes of compliance on the ability of that software vendor to deliver….

They were right to push the vendors to make their products PCI ‘compliant’; however, implementing that ‘PCI-friendly’ piece of software didn’t actually make the retailers themselves compliant - it was just one of many, many things that they had to address in a much larger program.

Currently it seems that there are a number of products that are on or are entering the market that are actively positioning themselves as ’silver bullet’ solutions, but the same situation still exits - PCI is not point-solution friendly.

Ultimately the responsibility of compliance lies with the retail organization - not with external vendors. PCI (and information security best-practices in general) needs to be a integrated into an organization as it can have far reaching impacts within a company (including finance, operations, IT, etc.) and there will be a continuous need for assessment and remediation as changes occur with the organization, with PCI, and with potential threats.