- PCI DSS strives to ensure continued compliance to their (albeit flawed) standard with quarterly (for Level 1) and yearly (for everyone else) audits. The only problem with this is that a lot of things can happen in 3 months (and certainly in a year). The automated scanning that many Level 2-4 merchants do is essentially worthless but more importantly - the threat scenarios shift quickly these days - especially when you take into account employees and contractors who as people are by definition, unpredictable.
- PCI DSS 1.2 mandates security controls for untrusted networks and external attacks. The phrases "trusted insider" or "business partner" are not mentioned once in the standard. This is absurd, since a significant percentage of the customer data breaches in the past few years involved trusted insiders and business partners. A card processor can be 100 percent compliant but because they have a Mafia sleeper working in IT - they could be regularly leaking credit card numbers. This is not a theoretical threat.
- Finally - PCI DSS is a standard for whom? It's a standard to help the card associations protect their supply chain. It is not a policy used by the management of a company in order to improve customer service and grow sales volume.
To summarize:
- PCI DSS is a standard for the card associations not for your business, nor for your customers.
- As a security standard it is better than none at all, but leaves much to be desired because it is not oriented towards the business and consumer protection