PCI Compliance

The PCI DSS requires that not only the CDE (Cardholder Data Environment) be in scope for controls (which includes the people, process, and technology components), but also any system that is connected to the CDE, including support systems.
There are over 200 requirements within the DSS, and they are all-or none— companies either have them in place and functioning properly, or they do not, therefore having a deficiency. A fail of any control is a fail of the entire certification.
Controls require supporting process documentation and evidence. This makes the entire process more cumbersome. New tools and processes need to be implemented to ensure compliance. This process in itself is arduous.
PCI compliance rules are prescriptive. They do not contemplate a risk assessment process when defining the controls in the environment and organizations must follow the requirements to the letter. If they cannot meet the requirements, they will have to look into compensating controls. Without a deep understanding of the rules and how they will be interpreted, the compensating controls are difficult to derive without expert advice.
While the notion of compensating controls are allowed in PCI DSS, they are difficult to justify and still must meet or exceed the intent of the control that they are compensating for. It is likely that the compensating controls are much harder to implement than meeting the stated requirements of the original control.
Third-party partners who are integrated or a party to transactions may be required to comply with a portion of the PCI requirements for them to be in compliance. Each compliant company is compelled to ensure their partners are in compliance as well.