Opinion

PCI: Smart or Stupid?

The data security standard isn't as complex as some would have you believe

By Ben Rothke

Recent events demonstrate otherwise. TJX Companies violated some of the basic tenets of the PCI DSS, and its insecurity has had a direct negative financial effect. The company announced that in one recent quarter, it took a $12 million loss, equal to 3 cents per share, for costs incurred to investigate and contain the intrusion, improve computer security and systems and communicate with customers, as well as for technical, legal and other fees. The company also reported that it expects that it will continue to incur these types of costs related to the intrusion in the subsequent quarter and estimated that the costs will total 2 cents to 3 cents per share.

Such breaches are precisely what PCI comes to prevent. Had TJX followed the principles of PCI and properly secured its systems, it would have had a positive return on the investment and saved the organization millions of dollars, in addition to significant negative publicity. Absolutely nothing complex about that.

All it takes is one successful hack attack to wipe out years of so called savings gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just wont happen to them.

The time to take security seriously is before an attack happens, not after. That is what PCI aims to do. PCI is the best thing that has happened to consumer data protection in the payment industry in many years. The quicker it is embraced and implemented, the better off we all will be. n

Ben Rothke, CISSP, QSA, is a security consultant with BT INS.

• Email
• Print
• Comments
• Digg This
• SlashDot