God no. Nowhere near reached it, if you look at smaller orgs.

“What I’d like to work on next is helping people ask better questions about payments security.”

Definitely! I just had a freak-out recently over “PCI is toothless.” For fuck’s sake, you are not doing PCI because of some teeth, but to secure your data!!!

“After almost 4 years of fielding questions, I have a list of them in my head that come up over and over. ”

Mike, you need to …uh… write a book on it or something Sorry!

What I’d like to work on next is helping people ask better questions about payments security. I think we focus so much on the answers that we don’t ask if we are asking the right questions.

After almost 4 years of fielding questions, I have a list of them in my head that come up over and over. In fact you only need to get the questions for a few months before you see them repeat. In fact, I believe most people are asking the wrong questions and then debating the answers, which at that point are potentially irrelevant.

BTW, what happened with you and Aegenis?

http://usa.visa.com/merchants/risk_management/cisp_merchants.html

Level 1 Merchants
The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Requirements and Security Assessment Procedures v1.2 document. This document is also to be used as the template for the Report on Compliance.

Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers. The Attestation of Compliance for Onsite Assessments – Merchants can be found in the PCI Requirements and Security Assessment Procedures v1.2 document.

Acquirers must submit the Attestation of Compliance for Onsite Assessments – Merchants form and a letter accepting the merchant’s full compliance validation to Visa upon receipt and acceptance of the merchant’s validation documentation.

Download the PCI Data Security Standard v1.2.

Download the Attestation of Compliance for Onsite Assessments – Merchants.

With astonishment, I have read the following argument of yours:

“Most merchants forget a small fact that every level of merchant is allowed to self assess if they wish. Level 1 merchants can use their internal audit group or a QSA, and Levels 2-4 all use the Self-Assessment Questionnaire (SAQ).”

Of course Level 1′s can self-assess, so can my grandmother, but they also have to get in a QSA for validation! If not, please show me where that is written.

I have to restrain myself physically when people say those naughty two words.”

Exactly! Me too! Me too!! I want to also remind them that risk needs to be transferred to the party responsible – which, in a conservative 99% of cases , is the merchant…