PCI: Boon or bust for software security?

[amurren at gmail.com (Andy Murren)]

Overall I concur with Bruce on this.  PCI has too broad of a
constituent base to cover to be truly effective.  Some fixes were
added after the TJX  breach, but look at how much TJX paid versus how
much the laid aside to pay.  I am betting that the TJX lawyers
produced documents showing that they were PCI compliant, and that Visa
had accepted the annual findings.  In the end TJX was able to claim
that they were not negligent because they were PCI compliant.  While
PCI 1.1 points to OWASP for in house developed web applications, where
are the standards for 'PCI Approved' vendor development?  How secure
is the development process at the middleware vendor that is part of
that web app, how good are the standards those organizations use and
are held to?

I think until there is an industry wide generally accepts, and pushed,
standard for integrating secure development into the SDLC we will see
band aid approaches like the updated PCI.

Andy