Much has been said since PCIs inception. The following article does an excellent job of summarizing the crux of the issue. Unfortunately for the credit card industry and retailers as a whole, PCI is considered (and I believe) a self serving entity to stave off government intervention. Its hard to fathom that the end may be near for PCI due to their self serving image. While significant effort has been made to change the way data is processed, there has been a lack of effort regarding implementing technology’s necessary to identify, authenticate and and make all accountable for the credit they have been authorized.
Government intervention will be a good thing for PCI. Heres why, most government officials know nothing about security. Politicians as a whole are clueless regarding most issues they are confronted with and have staff to brief them on the issues. Key word “BRIEF”. Worse, they interpret everything based on how it can get them re-elected.
This all means that PCI will sit in front of congress answering stupid questions that they have to be prepared to answer. They will have to go beyond the call of duties to satisfy some of the dumbest people on earth. That will require incredible due diligence.
January 9, 2009 – 3:20 P.M.
Regulators:Thanks PCI, but we’ll take it from here
TAGS:data breaches, data security, PCI, regulators, retail security
IT TOPICS:Government & Regulation, Security
The Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major credit card companies has probably done a lot to stave off state and federally mandated controls for protecting customer credit and debit card data up to now. The big question as a new year begins, is for how much longer though?
More than two years after the PCI standard went into broad effect, data breaches involving payment card data continue unabated. Obviously it would have been unrealistic for anyone to have expected them to stop altogether just because of PCI. And it’s impossible to know how many compromises were averted because of the standard.
Even so, the number of data compromises involving payment card data being disclosed by businesses is only increasing, not decreasing. One reason is simply that state breach notification laws are forcing companies to disclose compromises that in the past they might not have. Another is the continuing lack of visible enforcement of PCI which has resulted in an environment where many companies, including large ones, are still not fully compliant with the mandate.
And that’s a problem for those hoping that a private industry initiative such as PCI alone will be enough to keep lawmakers at bay for much longer.
Already Massachusetts and Nevada have passed laws requiring companies to encrypt all sensitive customer data and implement measures for controlling access to it. The Massachusetts law, which seems to have a lot of people anxiously reviewing their security measures, was supposed to have gone into affect Jan 1 but has been pushed back to May 1. Nevada’s law went into effect on October 1.
As far back as May 2007, Minnesota passed a law known as the Plastic Card Security Act. Under the statute, companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards. Attempts at passing similar legislation-most of which are sponsored by financial institutions–have so far failed in places such as California, Texas and elsewhere. But all its going to take is for another major retail breach or two for them to be revived.
The security requirements spelled out in these statutes are mostly the same as those mandated under PCI though they cover other data classes as well such as Social Security numbers and bank account information. The key difference is that the mandates in Massachusetts and elsewhere are coming from a government agency and carry the full authority of state law. Companies that suffer data breaches and are found to have been noncompliant with the regulations could find themselves exposed to greater legal and financial issues than the PCI standard generally provides for.
Here again, everything will depend on how vigorously these mandates are enforced. But it probably is going to be a whole lot riskier for companies to simply pretend like they are doing something, as at least a few appear to be doing, with PCI.