I could also use a white paper or two on the details. Can you help or give me some advice?

Thanks,

Mike Ghodoosian, URC

While all of this sounds simple enough, to implement a security and compliance solution in 60 days can be done and I have done it. Yet, we had most of the prework done before we acquired the vendor solution. We also had strong executive sponsorship and support of the CTO to help us overcome obstacles in IT. The seven P's that I learned early in my career make all of the difference on these types of projects: Prior Proper Planning Prevents Piss Poor Performance. The best teams with enough prior proper planning can implement almost anything in 60 days.
Regards,
Cary

The underlying issue here is that there are companies that look at PCI as, "oh it's just another audit we've got to pass", and then there are organizations who simply want to have a great security posture. Two observations here, the first group are usually the guys who always operate out of a tactical, "that's good enough" catch-up mode, the second group are the ones who have a much more strategic approach to security. Nothing that's in the current PCI DSS spec should be a surprise to anyone who deals with security, all of the requirements make security AND business sense and one could argue that companies should have been following them even without a standard and the threatening of fines.

So I would suggest that if you approach every new security requirement from a tactical point of view you are already screwed. At the same time organizations could start and use a "60 days to compliance" at least as a framework that gets them out of the tactical and into a anticipatory mode for security. For a disciplined organization - yes they are out there - chances are they are already there and if there are a couple of things they have to update to pass an audit, they should be able to do it in 60 days.