Just read a couple of articles on StoreFrontBackTalk from earlier in the month.  Both were written by David Taylor (who started PCI Knowledge Base - www.knowpci.com) and both were good articles.  The one from the 10th had this blurb as one of his recommendations for dealing with security/PCI in a tough economy….
Focus on risk reduction, not fine avoidance
Many organizations set their budgets for PCI compliance based on the avoidance of fines. Thousands of CFOs and other financial executives received letters from their acquiring banks in the last three years threatening …

OK -
This must have been the article that Ms. Amato-McCoy had written to spark the little editorial that I also just posted about.
The article is about Staples and their Information Security Officer - Christopher Dunning.  It is nice to see that Mr. Dunning seems to have the ‘right’ attitude about security (so says me) and isn’t just looking at the endevour as something that needs to be checked off.
PCI is a budget-exercise.  It’s the ‘fundable’ buzzword that finance requires to attach money to security and to give intelligent, business-focused executives …

For some reason, I didn’t see this earlier, but wanted to say ‘kudos’ to Ms. Amato-McCoy.  It’s a short article that just talks about why PCI is important, but as a standard, not as the security end-all that some retailers are still claiming should address all of their security issues.
My favorite quote from the article is at the end - ‘Chains can no longer view security measures simply as a means to achieving some level of “compliance.”
Rather, it is the retailers that take a proactive, foundational approach that will find …

I have to admit that I don’t always see eye-to-eye with the PCI Knowledge Base on their approach to PCI in retail (it’s a philosophical thing - they are very good about accuracy, etc.), but this article was very interesting and, I think, very relevant.
I’m actually involved with a webinar that is going to happen in January that discusses PA-DSS and it’s impact on retail technology strategy and buying decisions over the next 18 months.  In other words, as a retailer, why should I care about PA-DSS….  As it get’s …

Here are two good posts giving some clarification that really seems to be confusing for people.  Also, I know I’ve just been re-posting lately, but things have been a little nuts around here - I’ll try to throw together a good rant shortly…
http://pcianswers.com/2008/12/07/saas-compliance-and-levels/
http://pcianswers.com/2008/12/07/service-provider-or-pa-dss/

PCI Blog - Compliance Demystified » Blog Archive » Web application vulnerabilities at large.

Interesting thoughts on call centers…
PCI Blog - Compliance Demystified » Blog Archive » Call centers with VoIP phones could expand PCI scope.

This has been a needed piece for some time - PCI has created a mad rush to sell, sell, sell and has allowed some companies to exploit fear and confusion to profit unfairly to the detriment of their clients.
I have seen too many situations where we get involved with a client that has previously been working with another partner only to find multiple vulnerabilities that were somehow ‘missed’ by our predecessor or to learn that our client has just spent $2M buying hardware from their audit company (based on that …

NetSPI was the feature article in today’s Star Tribune business section.
Penetrating IT security to find the weaknesses.

It’s good to see a ‘vendor’ understanding that providing a secure solution is extremely valuable to the retail community…
VeriFone Takes Lead in Securing Card Payments with PA-DSS
Will Only Provide PA-DSS Audited Payment Applications in Initiative that Supports New Rules Governing PCI Compliance for All Levels of Merchants
VeriFone Takes Lead in Securing Card Payments with PA-DSS - MarketWatch.