PCI: "Follow the Standards to the Letter"
An interesting quote from Bob Russo on how the PCI standard should be followed:
Bob Russo, the general manager for the PCI Security Standards, a group that devises data security measures for the five major credit card companies, said almost all data breaches are the fault of the merchant. "Everybody that has been breached has been noncompliant with the standard," he said, noting that the circumstances of the Hannaford breach are still too murky for him to render a judgment about. "If you follow the standards to the letter, it puts enough of a hard shell around the data that it is hard to get to."
Full story here. My question, what about all those emails from the PCI Council, the card brands, acquiring banks and payment processors that purport to resolve ambiguities and which may not be "to the letter" of the PCI Standard? And that question reveals the potential problem from a legal standpoint.