For years, I have been studying the PCI DSS compliance problem, as well. I have noticed many similarities to the "SOX-404 Is The Biggest IT Time Waster" wars in 2005. I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified scoping and substantiation as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
<p>I propose to present the two year success story of the IIA GAIT team (http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/ [www.theiia.org]) and how we changed the state of the IT audit practice in support of SOX-404. We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404. We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 CPA firms. In short, we made a difference, in a highly political process that involved many constituencies.</p>
<p>I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group). My personal goal is to find a 'third way' to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.</p>
<p>My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts (e.g., tons of ambiguity, every QSA and consultant seeming to have a different approach, existing guidance either too prescriptive or too vague, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches), and catalyze a similar movement to achieve the spirit and intent of PCI DSS.</p>