Re:wasted? (Score 1)

"Compliance doesn't generally add value to the individual product or service. It adds value to the network or industry." Well in our case it's both, I work for a company that specializes in writing credit union software, thus PCI-DSS is a MAJOR port of our jobs right now. At one point in a meeting with our dev team they said, "We don't know anything about security, we're developers" I about had a heart attack, but now after some coaxing and pointing out what they must change for compliance, our software is slowly (as in not yet) getting better. Better because we now have processes in place for application and OS vulnerability scanning (it was REALLY bad), standardized installation procedures among other things. So our individual product is/will be MUCH better by the time we have our audit, but since we are one of the big players in the payment card network everyone benefits.