Compliant Doesn't Mean Secure ReduxBy: Secureworks
Recent breaches have re-kindled the perennial security vs. compliance debate. Seems like every time a major merchant or service provider breach is disclosed, "were they compliant with PCI DSS?" is one of the first questions asked. Regardless of whether the answer is yes or no, it's then interpreted as indication that the PCI DSS doesn't work.
This assessment makes a lot of sense if you think the PCI DSS is intended to protect merchants and service providers. But it isn't. And if you're basing security decisions on that premise, you're doing it wrong. The objective of the PCI DSS is to reduce risk to the card brands, not your business. Overlap between the two is just icing on the cake.