And that, he said, is the point: Security standards can only be effective if a company is in compliance all the time. That comports with a long-time mantra of security experts, that "compliance is not security," especially when companies scramble to meet compliance standards for a yearly audit, but then let things slide until the next audit is approaching.
John Shier, who blogs for Naked Security, agrees, but said that "snapshot compliance" remains a problem with the new standard.
Shier, who conducted a mini-debate with himself earlier this year with dueling blog posts over what he considers the successes and failures of the new standard, contended in the "Why it fails" post that, "one of the greatest failures of the PCI DSS is its compliance-as-a-snapshot nature."
The standards do have a, "business-as-usual recommendation," he wrote. "But that's all it is a recommendation."
Not so, contends Troy Leach, chief tech officer of the PCI SSC. "We hear that all the time," he said, "and we wonder, Have they actually read the standard?' We've been very proactive in the continuous security approach they are requirements."
Leach said the council has, "published a couple of documents along that line. You're going to fail if you're looking at getting just a snapshot of compliance," he said, adding that the standard explicitly calls for, "continuous monitoring of the environment. It's not about being compliant for two months and then taking 10 months off."
That resonates with Christopher Strand, compliance consultant at Bit9, who said the new standard is a, "more direct approach to encouraging businesses to ensure that security controls are actually effective at protecting critical data rather than getting a check mark."
And Alphonse Pascual, practice leader fraud and security at Javelin Strategy & Research, said any organization that implements the standards fully would be, "an incredibly hard target for hackers."
But, there are mixed estimates about whether some merchants will be ready even for "snapshot" compliance by the deadline. According to the Verizon Business 2014 PCI report, only 10 percent of companies are passing their baseline assessment. On the other hand, Kurt Roemer, chief security strategist at Citrix, told Security Week recently that organizations are, "overwhelmingly ready for PCI DSS 3.0."
Leach said readiness generally depends on the size of the company. He said most of largest so-called Level 1 "are prepared and aware. The small ones, not so much."
Russo was a bit more emphatic. "Some of the SMBs (Small and Medium Businesses) don't know which end is up," he said.
That, they both agreed, means the council has to do more outreach and education. "We are working on how to bridge that," Leach said. "We're partnering with banks and merchant associations, we have an SMB web site and are looking at several other things this year."
Sign up for CIO Asia eNewsletters.