PCI compliance is Zen-like. It’s hard to determine, and even when a letter declares a company PCI-compliant, that declaration can always be retroactively reversed later — such as if you’re breached. Yes, when you most need to be able to say that you are PCI compliant is when it’s taken away. Isn’t life wonderful?

What prompts this observation was a news release that crossed my desk a few days ago from Tenable Network Security. The release said the company had a new offering “that continuously monitors and maintains Payment Card Industry Data Security Standard (PCI DSS) compliance posture.” Monitors? Yes. Maintains? That is not something that software — any software — can do.

To read this article in full or to leave a comment, please click here