I'm a QSA and I believe that the PCI DSS provides a good starting point for organizations to help secure their cardholder data (CHD). I believe that there are other controls within the PCI DSS that can help prevent some security vulnerabilities that can squeak by bad web application vulnerability assessments and poorly implemented web application firewalls. It really does not matter what Gary thinks, because he will never be compliant. I am a Senior Consultant for the Audit and Compliance group at SecureState. At SecureState I have both led and participated on dozens of engagements ranging from audit activities including SAS70(Yeah, I know SAS70 is, dead get over it! ) Now SSAE16/AT101/SOC, COBIT general controls, Sarbanes-Oxley (SOX), Payment Card Industry (PCI) Health Insurance Portability & Accountability Act (HIPAA), and ISO 27001, and Gramm-Leach-Bliley Act (GLBA) to technical assessments including vulnerability assessments, war-driving, social engineering, and physical access. Some of my interest include picking the locks to women's chastity belts, teaching puddles how to fly, and striking fear, doom, and despair into the hearts of PCI merchants and service providers.