Why is PCI so successful?

While at the RSA Conference, I took an afternoon out to head over to Bsides, where I participated in a panel (video in twoparts) looking at the PCI Data Security Standard, and its impact on the industry. The best comment actually came to me in email afterward:

It’s worth remembering that, no matter what your opinion of
PCI, the simple fact of the panel discussion today says something
impressive about the impact the standard has had, and the quality of
the industry’s response.  Other areas of infosec haven’t matured
nearly as much, or as quickly.

Far more than any standard to date, PCI has improved the state of security across the board. Some of that is in its simplicity — the bulk of the control objectives are clearly written, and easy to implement against. Some is in its applicability — it crosses industries like few other standard. Even more, I think, is in its narrowness. Rather than trying to improve security everywhere (and failing), it focuses on one narrow piece of data, and aims to protect that everywhere.

This isn’t to say that PCI is the best we could have. Far from it. But it’s the best we have, and we should look at its model and learn for future compliance standards.