Aug05

PCI Compliant? You are until they say you’re not

By Dave Hogan, CIO | Published: August 5, 2009
2 Comments | This entry was posted in Technology

Earlier this year, I testified at a Congressional hearing held by the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. During the hearing, I told members of Congress that PCI is little more than an elaborate patch. While PCI can reduce some fraud – at extraordinary cost – it is not nearly as effective as a redesign of card processes themselves.

Even after all the hoops retailers need to jump through to get to PCI compliance, there is no safe harbor for a company that is certified “compliant” when they are victimized by hackers. When news hit that Network Solutions, a software company that accepts payment card data for small businesses, recently suffered a data breach, I wasn’t the only one surprised to learn that the company was PCI compliant. This isn’t the first time a company that was certified “compliant” was breached and then had their compliance pass ripped out from underneath them.

The statement released by the PCI Council after the Network Solutions breach wasn’t exactly a ringing endorsement for those merchants that believe a PCI compliance certificate is supposed to mean something. In his statement, the PCI Council’s Bob Russo said, “Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status.” The statement went onto say that “ongoing vigilance” is essential in maintaining PCI compliance. So much for acknowledging the flaws in PCI.

To me it’s simple: either PCI compliance works or it doesn’t. If the PCI Council cannot supply safe harbor for a breached company once it has found that they are PCI compliant, it’s hard to swallow that they can fine companies for non-compliance.

PCI compliance is a worthy goal, but clearly it has a long way to go before we should consider it an enforceable standard.

Posted in: Technology and tagged , , , ,
Interact: Permalink | Post a comment | 2 Comments/Trackbacks
Share:
|More

One Comment

  1. avatar Ken Smith
    Posted November 26, 2009 at 2:20 pm | Permalink

    The big problem is that the QSA’s doing PCI assessments are inconsistent and sometimes just wrong. This is one of the reasons why you keep hearing that PCI is “expensive”. If done correctly, it doesn’t have to be expensive. And PCI itself usually isn’t the reason it may be costly, that’s usually attributed to the complete lack of any countermeasures or good practices being in place in the first place. In these cases, PCI isn’t costly. It’s getting the company up to the 21st century and where they should have been in the first place. PCI was the stimulus for appropriate risk management.

One Trackback

  1. By Chaordic Mind » Dave Hogan doesn’t know PAN on August 7, 2009 at 3:39 am

    [...] a recent blog posting Dave Hogan, CIO of the National Retail Federation (NRF), reiterated his dogmatic stance that [...]

Post a Comment

  • Posting Policy

    NRF welcomes intelligent discussion and debate from our community. We do insist that all comments must be expressed in a mature and civil tone of voice. Individuals posting rude or otherwise inappropriate material will lose their access to the discussion.

    Thank you,
    NRF

    Note: While anonymous comments are welcome, they are also moderated and may not be posted immediately. If you don't see your comment, please be patient, as it will be reviewed and posted soon if appropriate. Please do not post your comment a second time. Thank you.

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>