Martin gives his PCI Christmas Wish List:
So what would I wish for from the industry and the PCI Council this Christmas if I knew they couldn’t turn me down? Like I said in the beginning, I’d shoot for the stars; I want a complete rewrite of the PCI requirements that focuses on the desired outcomes, not the specific technical steps that need to be used to accomplish them. Josh Corman had a good suggestion about this; keep the current requirements as an example of how to implement the new requirements, but we’d have a list that focuses more on the outcomes we want and less on the technology that is needed to make them happen. The problem with this solution is that it would introduce a lot more wiggle room in DSS and would require a more mature, knowledgeable group of QSA’s, but it would also give merchants and service providers the ability to be more flexible in their solutions and maybe even allow them to concentrate on security first, compliance second.
Personally, I’d like a set of tools that make it very easy to generate checklists of compliance issues to accomplish. I do this manually, using an automated scanner that presents me with a list of vulnerabilities, and then copy / paste them into trouble tickets, or from the self-assessment questionnaire I answer the questions and then copy out the items to work on. But in the SAQ, the current NOs are scattered randomly throughout the questionnaire, rather than summarized together for reference.