Nine years ago, the Payment Card Industry Security Standards Council (PCI SSC) quietly released the first version of the PCI DSS standard, consolidating the confusing set of overlapping requirements previously promulgated by the various card brands. Almost a decade later, the industry now awaits the third major PCI DSS release as the council prepares to issue PCI DSS 3.0. This provides an excellent opportunity for the industry to reflect upon the successes and failures of the standard.

Of course, the goal of the PCI DSS is to improve the security of payment card information and reduce the cost of fraud to the sponsoring institutions. It’s no secret, however, that the goal of most organizations subject to PCI DSS is simply to pass their assessments and be able to certify compliance for another year. This is an age-old discussion in the world of compliance – how much of what we do actually adds security and how much is simply bureaucratic overhead?

Read more: The State of PCI DSS: The Good, The Bad and The Ugly

Published October 2013 on SearchSecurity.com