Overall I concur with Bruce on this. PCI has too broad of a
constituent base to cover to be truly effective. Some fixes were
added after the TJX breach, but look at how much TJX paid versus how
much the laid aside to pay. I am betting that the TJX lawyers
produced documents showing that they
Worse than that, I think that until businesses universally understand the
value of secure coding practices, they will resist the up-front cost to
take on such a transformational program.
SOX vs PCI would make for a good case study. SOX is very high level and
generic, which led to much confusion
Greetings SC-L,
So here's a question to ponder. Now that PCI DSS 1.1 is out there
(save a couple June 2008 deadlines still looming), has it been good or
bad for software security as a whole?
It does require secure development processes (as prescribed by OWASP).
It does require sensitive