I spend a fair amount of time discussing security and compliance. In particular, surrounding the details of achieving PCI and PA-DSS. But, more broadly, that compliance is an outcome of a risk-based approach to security. In these discussions, I’ve noticed 2 common questions, or perhaps, concerns that arise: Why should a merchant or software company [...]