There is only thing worse than being threatened with having to pay protection money: paying for the protection and still getting robbed.
That's pretty much sums up how a lot of people feel about the Payment Card Industry Data Security Standard (PCI DSS) these days. Companies have spent millions of dollars on installing these technologies -- not to mention all the money being spent on auditors -- only to discover that security breaches keep happening anyway.
It might seem there's something fundamentally wrong with the way people are implementing PCI DSS. After all, it's a pretty complex undertaking, so getting it right is not easy. But the other side of the equation is that PCI DSS only covers a limited segment of the payment process. Clearly, a lot more work has to be done to secure the payment process beyond the scope of the PCI DSS standard.
For example, how the credit card data is stored, where it is stored and how much encryption should be employed to secure that data are things an IT organization needs to sort out. One thing everyone can agree on is that the PCI DSS process is tedious. So if all things are equal among vendors such as Thales, IBM, Oracle and Tripwire, then maybe you should choose the vendor who does the most to help automate the process. After all, a lot of the expense associated with PCI DSS goes for auditing the process. If the process is automated, chances are it will be done right the first time, and you'll spend less time, money and energy on the process.
Although some people question the efficacy of PCI DSS, we probably would be a lot worse off without it. But a lot of work remains to be done to streamline the PCI DSS process. Unfortunately, companies such as Visa, MasterCard and American Express who are setting the PCI specifications aren't doing the actual implementations. As a result, we're experiencing a lot of pain and frustration right now relative to the benefits, which is why so many companies are out of PCI DSS compliance. Making it easier to comply, without compromising the integrity of the standard, needs to job one of the entire PCI DSS community.