The PCI Council will be releasing a list of 12 milestones for businesses to address on the way to becoming PCI compliant. The list will contain milestones such as removing unnecessary sensitive data (do people really need to be told that?) from systems.
The full article explaining the milestones can be found here. I think the most interesting point in the article is from Bob Russo of the PCI Council, he said:
“Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.”
I might be wrong but Heartlands and RBS WorldPay were PCI Compliant and they were breached! I have come across a great discussion around this statement at securosis.com. I think they are making some very valid points over there so I’m not going to repeat them here, go over and visit the discussion on Securosis and let me know what you think.