Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

In the same time period, however, calls for regulatory action stepped up even more quickly. Shortly after the TJX breach disclosure, Barney Frank, chairman of the House Financial Services Committee, issued a stern rebuke, calling the incident “further evidence” of Congress’s need to intervene. “[T]hose institutions where breaches have occurred must be identified and they must bear responsibility,” the Massachusetts Democrat said in a statement. “Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today.”

No one really wants more regulation; everyone just wants the security breaches to stop. Jay White, global information protection architect at Chevron, where some business units must comply with the PCI standard, isn’t alone in pointing out that it would, in theory, be easier for private industry to police itself. “There are times when you are applying resources just for government compliance as opposed to having it add any business value,” White says. “I would rather have industry be self-regulated, until companies demonstrate that they can’t self-regulate.”

The PCI standard is corporate America’s big chance to demonstrate that it can self-regulate. The question now is, How long before it will have proven just the opposite?