First of all it shows its age (the long winded explanation on what a firewall is, and the requirement for stateful inspection) and its vague (banning INTERNAL network addresses from coming from the INTERNET to the DMZ ?? I need some explanation on that, because it’s not clear how a service in the DMZ can have a session where the src IP is NAT’d and its coming from the public Internet…unless the company has a private VPN in which case I’m not sure what the vulnerability is exactly…)

Anyhow:

IMHO - you cannot get merchants to comply without showing how PCI DSS can give business value by effectively reducing risk.

Any bank or card processor knows that processing cards is ongoing exercise in risk management - yet Visa and MC have ignored their own core business and turned information security into a checklist compliance thing.

PCI DSS is about mitigating the risk of unauthorized disclosure of credit card numbers (on the assumption that once disclosed they can be used for fraudulent transactions) and PII (on the assumption that with a name, SSN and DOB a bad buy can steal an identity).

The problem is that the PCI DSS is an all or nothing list of controls:

A merchant has no way of calculating his risk profile in PCI.
He has no tool for knowing if implementing the controls will reduce the damage to his assets (business reputation, customer list, charge backs from the bank if he leaks data etc) because:

a) the standard has no notion of assets
b) the standard has no notion of threats
c) the standard has only an implied notion of vulnerabilities
d) the standard has no agreed upon standard to calculate the risk exposure of a merchant or processor in terms of assets, threats and vulnerabilities.

My 2c
Danny