|
|
|
|
|
|
by randerson
23 days ago
|
|
|
I've implemented PCI-DSS and have 12 years of level 1 audits behind me. I actually find their rules to be sane, pretty good security practice. Internally, we made many of the controls standard across the board even for out-of-scope systems because they were sensible and we'd already built the tooling for it. If you implement it well, once you're compliant it is easy to stay compliant. And yes, there is plenty of incentive to keep things out of PCI scope. I'd say that is PCI working as intended. Why would you want a larger attack surface that touches your credit card data? |
|
|