I was recently ushered into the proud order of the PCIQSA. If you are in charge of customer data and don’t understand that acronym your company might already be in trouble; it stands for Payment Card Industry Qualified Security Assessor. It means that it is my job to uphold the PCIDSS or Data Security Standard, which is a large document created by the Payment Card Industry to protect the data of those payment cards and the entire transaction process. If you transmit, process or store payment card data it is necessary to stay compliant with the PCIDSS. Yes, everybody, this means your local coffee shop or Mom and Pop grocer all the way up to Amazon.com, Walmart and TJMaxx.
Now it’s not just people like me that see non-compliance. Everyday consumers are rising up against merchants for storing too many digits of their credit card on receipts. The PCIDSS states that merchants can store at maximum the first six and last four digits of the credit card number.
In this tumultuous time of identity theft, data breaches and outright negligence companies are feeling the heat from every side. The truth is that customers are becoming more savvy about what companies can do with their data and aren’t afraid to speak up or take their business elsewhere – to a place that knows how to treat a credit card right. Compliance is also gaining significant traction, gone are the days of toothless "best practices" or data security standards.
Luckily there is something you can do: Get compliant before it’s too late. Get an auditor to make sure you are and stay fully compliant. Otherwise you may get to experience the fun that is a full compliance audit!
Bully for you: you've been ushered into the greatest money making scam since the Big Four Auditors were rewarded for their incompetence with SOX, allowing them to make a ton more cash by doing even more irrelevant auditing work. The average Big Four SOX404 work program is a point in case.
I don't expect you to take any response on this seriously, as after all you are one of those that stands to make money off the scheme. But for what it is worth.....
PCI is the most narrow minded, inflexible set of rules ever to be ushered in. While it is tempting to think of this as "good thing" (better security means safer customer data), anyone with more than a few years experience in implementing effective security knows that rigid is not always best, if only because you lose the context of the environment in which you are working. That is why even ISO17799 promotes process above specific controls.
An example? There are many, but one of my favorites is "1.3.4 Placing the database in an internal network zone, segregated from the DMZ".
I don't want to debate endlessly the reasons why this standard has so many issues, because to do so would be to presume that, like a government standard, there is a hope of repealing the most ridiculous of the requirements.
Which leads me onto my main point: is it such a good thing that companies are being held to so inflexible (and in many places, wholly inadequate) a standard and, if so, for whom? Are we really to believe that the Credit Card companies, who for so long managed fraud risk through hiking interest rates and forcing all of us to pay more for their failures, are suddenly "born again" concerned for their customers?
Or is it more likely that they are using this as a mechanism to offload risk once again, this time onto the credit card processors? In this scenario, it matters not whether a processor actually implements an effective set of countermeasures; only that the standard provides sufficient reason to fail a processor, post incident. Which calls into question the true effectivness of any "certification": a "certificate of compliance" is worthless unless people like you have big enough pockets to assume liability and risk.
Thoughts? :)
Post new comment