PCI compliance

So…  I’m going back to school in fall.  I’m going to be taking a four semester CCNA course.  As much as I would like to think I’m capable of passing on my own, I think I’m way too distracted between everything I have an interest in learning.  So I’m outsourcing my teaching to a college.  I find it strange that I have to reapply to college to take one class a semester.  But I guess that’s policy.  Anyways.

My time at work has been on filling out PCI compliance documents.  That’s about as much fun as stick in the eye.  From a security standpoint, I agree with PCI compliance.  From a second level, I think it’s a giant game of pass the buck.  The entire purpose of filling out the documentation is to get the catastrophic event insurance in the event something happens.  Really, it is.  The wording on most PCI compliance questions are so ridiculously open ended that they can be interpreted in any number of ways.  Truly staying compliant would require a full time IT staff person with a high degree of skill and knowledge in about a dozen different subjects.  In my case, I’m that guy and I’m distinctly and horrendously under qualified.  That’s part of the CCNA info. 

But the CCNA info is only part of the equation, as that covers one portion of the broad requirements.  Most of the requirements seem to indicate the problem is most often internal.  Which I don’t disagree with the need to protect internally, it’s just that in my situation, I’m more concerned about protecting externally.  But that’s what happens when you have to follow what someone else tells you to do.