Last week Microsoft hosted its annual CSO Summit here in Redmond. There was a large group of CSOs from global enterprises. I lead a panel discussion on PCI DSS, as it is a major issue on the minds of CSOs these. I had with me some ditingushed guests from the industry. Since I did not ask for their permission, I'm not going to use their names. I kept the session to be interactive and we really had a lively discussion with a room full of CSOs. PCI DSS is definitely a top priority for the CSO at the retail, hospitality and financial services enterprises. They're very keen to be compliant, secure their applications and I think they're genuinely interested in protecting cardholder data. Here are my observations about the panel discussion.

1. There is a general myth that some of the companies that have been in the news recently were compliant. It is not true, they were not compliant and as a result ended up with loss of card holder data.
2. Compromises mostly happen because cardholder data is stored in places where it has absolutely no need to store - such as marketing databases, promotion databases, etc. These databases do not need cardholder information, they can work with numbers and not names.
3. There are many benefits of PCI DSS compliance. The most fundamental one being fulfilling the requirement. Other benefits are, complete assessment of applications, systems and their vulnerabilities. Protection of cardholder data and server consolidation are some other benefits.

I'll discuss more thoughts in my next blog ... until then feedback is welcome.