Overheard a dev bragging about how our site is fully PCI compliant. So much so even the invoice data is secure. My BS meter went off, so I decided to look at what 'secure' code looked like.

Seems to me that you guys are in safe hands, as he seems to know what he is doing...

I swear the number of devs who say that and have no clue what PCI compliance covers totally grinds my gears.

@CrankyOldDev We're PCI compliant because we don't store credit card data and the secure network separations.
If auditors ever looked at our code...sheesh...and I wrote a lot of it.

Before PCI compliance, never gave a second thought to logging card #, exp date, etc. You might have found a customer's password in plain text in a log or two.

Nice. So you can make everything secure just by prefixing all names with 'secure'.

This has to be a joke?