ABSTRACT
Until recently, the subject of risk assessment was mostly pushed to the background in a PCI compliance scenario. The standard was considered to be the guiding document, and every organizational implementation specifically focused on meeting the baseline specified by the standard. I find this to be a misguided stance, and most companies that adopt it find themselves in a position of risk. Several PCI-certified organizations have suffered security breaches in recent times.
