One of the more painful tasks I’ve had to deal with in IT has been undergoing an audit, and the PCI ones always seemed to be the worst. Shawn Lukaschuk is a PCI assessor who is well familiar with the issues that come up.
It was interesting to hear the perspective of a PCI assessor. Most surprising was the understanding that IT usually gets PCI dumped on them by “the business” when it’s a shared responsibility. To paraphrase Bruce Schneier, “If you think technology will solve your problem, you don’t understand your problem, and you don’t understand technology.”