OK, so this paper ("PCI: Requirements to Action" by Ben Tomhave) deserves a blog entry of its own rather than being buried in a security reading post. It also proves that the claim that nowadays people just won’t read a 38 page paper is just wrong :-)
The fun thing about this paper is that it brilliantly combines the passion of a well-fired rant with a coolness of a detailed procedural document. Read the first 6-7 pages to see a great philosophical discussion on PCI DSS (which is a little too dark at times, to my taste: I just hated that “murky twilight of security management” phrase). Read the rest of the paper and see a lot of useful and actionable guidance on how to think about PCI implementation and even how to do it.
Here is an example of such set of action items from the paper:
Finally, keep in mind that the paper is written solely for large companies (I am guessing L1s and large L2s), but has some ideas useful for smaller ones.
Now enjoy the paper!