We notice you are visiting from a U.S. Internet provider. 
19/02/2010 -
A number of organisations, when faced with a PCI compliance audit, spend enormous amounts of time and energy to put controls in place and hit all the points on the checklist. Yet many do not - and cannot - sustain these measures, leaving them to spend all that time and energy over again for the next audit.Not only is this a more expensive way to address payment processing security, but it also leaves the organisation more vulnerable, said a recent whitepaper from Computerworld in partnership with security and compliance firm Tripwire.
Instead, said the report, payment processing security measures should be ongoing - something that will fulfill PCI DSS requirements in the process.
"There shouldn't be a heroic effort to comply with standards. Security, by definition, involves safeguarding confidential information, protecting against fraud, ensuring systems are available so you can generate revenue, and making sure there are no errors in the stack," said Gene Kim, co-founder and CTO of Tripwire. "When you do all these things, you inherently wind up fulfilling the intent of all major regulatory and industry compliance regulations."
Bob Russo, general manager of the PCI Security Standards Council, has historically been an advocate of this position, advising merchants that they should prioritise security, not compliance.
