Much has been said since PCIs inception. The following article does an excellent job of summarizing the crux of the issue. Unfortunately for the credit card industry and retailers as a whole, PCI is considered (and I believe) a self serving entity to stave off government intervention. Its hard to fathom that the end may be near for PCI due to their self serving image. While significant effort has been made to change the way data is processed, there has been a lack of effort regarding implementing technology’s necessary to identify, authenticate and and make all accountable for the credit they have been authorized.
Government intervention will be a good thing for PCI. Heres why, most government officials know nothing about security. Politicians as a whole are clueless regarding most issues they are confronted with and have staff to brief them on the issues. Key word “BRIEF”. Worse, they interpret everything based on how it can get them re-elected.
This all means that PCI will sit in front of congress answering stupid questions that they have to be prepared to answer. They will have to go beyond the call of duties to satisfy some of the dumbest people on earth. That will require incredible due diligence.
January 9, 2009 – 3:20 P.M.
Regulators:Thanks PCI, but we’ll take it from here
TAGS:data breaches, data security, PCI, regulators, retail security
IT TOPICS:Government & Regulation, Security
The Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major credit card companies has probably done a lot to stave off state and federally mandated controls for protecting customer credit and debit card data up to now. The big question as a new year begins, is for how much longer though?
More than two years after the PCI standard went into broad effect, data breaches involving payment card data continue unabated. Obviously it would have been unrealistic for anyone to have expected them to stop altogether just because of PCI. And it’s impossible to know how many compromises were averted because of the standard.
Even so, the number of data compromises involving payment card data being disclosed by businesses is only increasing, not decreasing. One reason is simply that state breach notification laws are forcing companies to disclose compromises that in the past they might not have. Another is the continuing lack of visible enforcement of PCI which has resulted in an environment where many companies, including large ones, are still not fully compliant with the mandate.
And that’s a problem for those hoping that a private industry initiative such as PCI alone will be enough to keep lawmakers at bay for much longer.
Already Massachusetts and Nevada have passed laws requiring companies to encrypt all sensitive customer data and implement measures for controlling access to it. The Massachusetts law, which seems to have a lot of people anxiously reviewing their security measures, was supposed to have gone into affect Jan 1 but has been pushed back to May 1. Nevada’s law went into effect on October 1.
As far back as May 2007, Minnesota passed a law known as the Plastic Card Security Act. Under the statute, companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards. Attempts at passing similar legislation-most of which are sponsored by financial institutions–have so far failed in places such as California, Texas and elsewhere. But all its going to take is for another major retail breach or two for them to be revived.
The security requirements spelled out in these statutes are mostly the same as those mandated under PCI though they cover other data classes as well such as Social Security numbers and bank account information. The key difference is that the mandates in Massachusetts and elsewhere are coming from a government agency and carry the full authority of state law. Companies that suffer data breaches and are found to have been noncompliant with the regulations could find themselves exposed to greater legal and financial issues than the PCI standard generally provides for.
Here again, everything will depend on how vigorously these mandates are enforced. But it probably is going to be a whole lot riskier for companies to simply pretend like they are doing something, as at least a few appear to be doing, with PCI.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Identity Theft: Expert Lauds Massachusetts' New Credit Freeze Law—Identity Theft Expert and Speaker on Personal Security
(BOSTON, Mass. – May 18, 2007 – IDTheftSecurity.com) Last week, both houses of the Massachusetts legislature passed versions of a bill that grants residents of the state the right to freeze access to their credit reports. Robert Siciliano, a widely televised and quoted personal security and identity theft expert, said consumers’ access to the credit
- How EMV Impacts International Travel
In the United States, credit and debit cards rely on magnetic stripe technology. The magnetic stripe is the black, brown, gold, or silver band on the back of your credit or debit card. Tiny, iron-based magnetic particles in this band store your account number. When the card is swiped through a “reader,” the data stored
- SEC comes down on Breached Companies
If you’re wondering if businesses, who’ve been targets of cybercrime, have been properly handling the fallout, you have company: The U.S. Securities and Exchange Commission. The SEC is investigating this very issue. Key Questions Include: Did the businesses adequately protect data? Were investors properly notified about the breach’s impact? One of the companies being investigated is Target Corp. The SEC,
- Merchants: Do you know where you Card Data is?
Card fraud affects merchants, not just shoppers. The Data Security Standard 3.0, released by the Payment Card Industry (PCI), urges companies to create a data flow diagram. This diagram would reveal all the systems, applications and employees who have access to cardholder data. “In the majority of compromises we’ve seen over the past few years, the
- Identity Theft: Data Breaches Throw Electronic-Payment Security and Customer Loyalty into Question—Identity Theft Expert and Speaker on Personal Security
(BOSTON, Mass. – April 26, 2007 – IDTheftSecurity.com) Recently released industry research has suggested that consumers are apt to stop shopping at retailers that suffer data breaches. The obvious alternative, according to Robert Siciliano, a widely televised and quoted personal security and identity theft expert, is for retailers to avert data breaches altogether by implementing