In this second installment of our feature called, “Thought Leadership with an Industry Expert,” we spoke with David Taylor, the founder of the PCI Knowledge Base, about PCI compliance.

Scott Olson: So I have a few questions for you today about PCI standards. The first one is, that you attended the PCI Security Standards Council’s Community Meeting recently, what were some of the hottest topics?

David Taylor: Well, I have talked to several people since then. Generally the agreement is that the folks at Price Waterhouse Coopers who were there to report on the study they had done for the PCI Security Standards Council of what you might call “Beyond PCI topics” — certain things that were really not addressed explicitly by PCI DSS in the 1.2 version, but were raised by many merchants and service providers and acquiring banks as ways to address compliance. This was either to reduce the scope of compliance, or to secure card holder data, or both of the above, and they were looking into a number of different things. I think they started out with twelve and they narrowed it down to three or four, depending on how you count.

The rest of the meeting largely consisted of feedback, meaning that people went up to the microphone and talked. The subcommittees or the special interest groups related to virtualization and wireless and the scope of the PCI standards, everybody spoke. I think generally what was reported out was the status of committee efforts, and nothing earth shattering. You’re not supposed to expect earth shattering things out of a meeting that takes place in the off year, meaning that the standards come out every two years and this is an off year. So they are preparing people for what is going to happen next year. I think the clarity of that is always like, “Well, we are working on stuff and there are a lot of things going on, but we can’t really tell you all that much because it is a work in progress.”
Read the full story…