An interesting report on the state of PCI by Forrester research conducted for RSA points out that encryption and access control are the top challenges for organizations to become PCI compliant. Furthermore, they keep too much data, however the PCI controls are used to drive compliance and improve security in the same organizations.

The report found that companies are concerned about data classification and access control policies. Data classification can of course be achieved with DLP, but in most PCI systems I know of, the data traverses the network, resides in data bases and file shares, and is processed and available through web applications.

This means that the future of DLP will have to answer the challenge of identifying PCI data throughout all its use, and be able to identify business process that does not adhere to the standard, as well as provide audit capabilities driving down the cost of maintaining PCI compliance.