Tom Olzak

PCI DSS is a get out of jail free card

In Business Continuity, Cybercrime, Data Security, PCI DSS, Piracy Legislation, Risk Management on April 2, 2009 at 08:21

The problem with security standards is they often are a get out of jail free card for organizations which believe in doing only the bare minimum necessary to stay out of trouble.  Some standards, like the PCI DSS, add some value when protecting sensitive information, but they don’t go far enough.  They become something management can point to and say, “See.  We’re secure.”

Apparently it takes a congressional hearing to sort this out.

The PCI standard, long touted as one of the private sector’s best attempts to regulate itself on data security, is increasingly showing signs of coming apart at the seams.

At a hearing in the U.S. House of Representatives Wednesday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little thus far to stop payment-card data thefts and fraud.

Source: PCI security standard gets flayed at House hearing, Jaikumar Vijayan, Computerworld, 1 April 2009

No, Congress is certainly not the right body to control cybersecurity.  However, in this case I think they got it right by simply stating the obvious.

%d bloggers like this: