Recently on the blog commenters have been talking about an ISMS (Information Security Management System), and I agree with you and them that ’security’ should be the focus of compliance. In fact, if companies secured the cardholder data in the first place, there would be no need for the compliance program.

But, I’d argue even that many times people loose sight of the big picture even when implementing an ISMS or any program for that matter. You can perform risk assessments until you are blue in the face, but good security starts with rational in mind. Rational from the end user all the way up to the person running the program.

I agree that security programs are good, but never loose focus on the primary objective - protect the data and the systems holistically.