PCI DSS Compliance and Banks

This may be a silly question - but are there any PCI DSS Compliant banks out there??

I’ve been working on a PCI DSS Compliance project for a bank, and we’ve just had our first meeting with our QSA. It became very obvious very quickly that he had never run a compliance project for a financial organization.

Now just bear in mind - banks are stuffed with card information and processes - that’s their business. Then imagine the amount of work required to document every single data flow for every type of business process through every single system. That’s what we’re being asked to do. Surely other banks haven’t agreed to document things to this level of detail?

We know the information is there, and we need to keep it. So surely PCI DSS should be about proving we can protect it. What’s the relevance of documenting every single business process to the Nth degree? Apart from keeping me in work for the next five years! :smiley: