From my perspective as one of its original authors, the history of PCI – although short – has certainly been a tortured one and one with too many conflicting interpretations, or should I say misinterpretations? It is this conflict that currently inhibits the widespread “correct” adoption and use of PCI. Instead, we often see PCI interpreted as a proscriptive check list that, if applied, will magically make an organization secure.

Clearly, that is not the case as is evidenced by the different disclosures of customer confidential information we have seen of late from organizations that passed their PCI assessments with flying colors.

Finally, we have a solid and comprehensive reference for PCI. This book explains in great detail not only how to apply PCI in a practical and cost-effective way but more importantly why. From what I have witnessed in the last several years, answering why PCI, and more importantly, why information security, is probably the single most important question one should ask, especially if you're in a regulated industry and in particular, if PCI applies to your organization.

In short, this book explains very clearly that we use PCI as a risk-based framework for implementing security architecture because a proscriptive approach cannot work for the multivarious types of organizations to which it applies. Thus, it must be tailored to fit their specific processing environment as well as business and technical requirements.

When PCI was originally promulgated it was envisioned to be implemented within the context of a comprehensive and holistic security architecture. Such an approach functions to support an overall (corporate security) risk-based governance schema, which is ultimately the goal of PCI. Given the tools presented here, an organization should be able to address PCI within the context of a comprehensive and holistic security architecture. Further, the book goes beyond explaining the primary requirements of PCI and looks at how to create a strategy for applying technology to those requirements. Of particular note and a topic often debated by security practitioners is how to use compensating controls. (Surprise, those are not intended to be a safe harbor one can use instead of a comprehensive security solution.) This is the first book that takes a realistic look at compensating control and should enable organizations to use these only when appropriate.

Developing a solid security architecture of course does not necessarily imply compliance. For that reason, this book also discusses the means for managing a PCI project to achieve compliance as well as what the considerations are for the ongoing management of the security and governance infrastructure designed and implemented with the security architecture.

There is a wealth of information here that anyone involved in a PCI assessment or remediation efforts should know. It will certainly make those efforts less painful and, in fact, quite useful and instructive. If there is a single point to take away from this book, it is this: develop a “security and risk” mindset and not a “compliance and audit” one.

Such an approach to PCI, not to mention the many requirements and regulations that organizations face today, will serve them well.