So What Is PCI Really About?
CSO's publisher says card issuers must do as they say, not just say what to do
By Bob Bragdon, Publisher, CSO
February 01, 2010 — CSO —
Over the last several years, PCI DSS has become a driving force in information security. Much as federal regulations like GLBA and Sox did in their day, PCI has become the hook that many organizations hang their budget request hats on in order to get funding. What a great model: Have the credit card industry use its muscle to get the merchants to institute good security practices.
In theory it sounds workable.
But I'm beginning to hear a few disturbing tidbits of information that make me question where the credit card companies are coming from. Think about things from the enforcement side of the equation: The credit card issuers police the merchants for PCI violations and then have the option to levy fines for those violations. Storing full credit card data in an unencrypted format? That's a fine. I think most of you know the drill.
But what if the credit card companies are maneuvering the merchants into noncompliance?
What I'm told is that some of the biggest violators of PCI are the card issuers themselves. I won't name names, but I've been hearing, repeatedly, that some card issuers are sending full customer account data to merchants in unencrypted files. The merchants I have spoken to are hopping mad about this because it forces them into violations of key PCI provisions. It also opens them up to fines from the very organizations that are sending them the vulnerable data.
Also see Ben Rothke's How to Reduce PCI Scope
So what does this all mean? The capitalist in me says it sounds like a great revenue model for the credit card companies. Financial quarter looking a little weak? Send out some e-mails with unencrypted card data to merchants and then start handing out fines. Want to pad your CEO's bonus a little more? Send out a BIG file and follow it up with a BIG fine. Who are they going to complain to?
Of course I'm joking here. (Am I?) But if card issuers aren't taking this seriously, how do they expect merchants to do so? I am told that card issuers claim these are unique incidents that have happened inadvertently—anyone else see the irony here? But unfortunately I am also told that rarely does a week go by when this does not happen.
As the rules become increasingly strict, card issuers are going to have to move beyond the "Do as I say, not as I do" mentality and begin to lead by example.
Have you run into this? Drop me a line and let me know.
Read more about pci and compliance in CSOonline's PCI and Compliance section.
Other stories by Bob Bragdon, Publisher, CSO
pci dss
- Smart Techniques for Application Security
- The Business Case for Data Protection
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Utility Mandate: Software Security for the Smart Grid
- Risk-driven Compliance and Security Management
- CyberAttacks ... Are you protected or prepared to pay?
