Oct 04 2010
This morning the Verizon 2010 Payment Card Industry Compliance Report was released. This report looks at the assessment’s of approximately 200 Verizon Business done between 2008 and 2009 and draws some very interesting conclusions from the data in a very clinical, statistical way. This is the first year of the report and there’s a lot of interesting data here, but much as the Verizon Data Breach Investigation Report created nearly as many questions as it answered, so does this report. It’s a great start, there’s a lot of useful information here, but given a couple of years to mature and expand, the Compliance Report will become a very useful benchmark to show how effectively PCI is being implemented. Or isn’t.
I have a business relationship with Verizon, as in I work there, so I’m going to let others provide the majority of the criticism, constructive or otherwise, of the Compliance report. I’m allowed to have my own opinions and I’m very vocal about them, but I’d rather see a lot of critical thinking by other security professionals who aren’t as close to the issue as I am before I weigh in. As it says in the sidebar, “The views expressed on this blog do not reflect the views of my employer …” etc. This means that I don’t claim to speak for them. It also means that I don’t allow anyone else to tell me what to say. But I’d rather wait and at least pretend to be impartial for a little while before throwing my own hat into the ring regarding the report.
With just a little luck and timing I’ll be recording an interview with a couple of the primary authors of the Compliance Report later today for release with this week’s podcast. So stay tuned.