PCI: The Big Unanswered Question
Question: Which companies claimed to be PCI compliant at the time they were breached?
It's become the familiar refrain this year. Each time we see a major data breach related to payment card data, the breached entity says 'Gee, well we were told we were PCI compliant - how could this happen?'
How many times can we continue to go through the dance of 'What is PCI compliance?' and 'Is it or is it not a viable security standard?'
The PCI marketing machinery then gets into motion, reminding us all that PCI compliance is but a snapshot in time - not a warrantee against future breaches.
Meanwhile, tens of thousands of consumers have their personal information exposed to potential compromise. They probably don't know or care what PCI is. They just want to know 'Why wasn't I protected?'
Fair question, and it deserves an answer. How many times can we continue to go through the dance of 'What is PCI compliance?' and 'Is it or is it not a viable security standard?'
Frankly, it scares me to see the State of Nevada adopting PCI as its de facto privacy standard just months after the Heartland hack and weeks before Network Solutions announced its breach. Other states are likely to follow suit, and yet the information security industry is still arguing about the efficacy of the standard and those who assess it.
- The standard relies largely on qualified data security assessors. But who watches the watchmen - who assesses the assessors?
- Assessors bear no liability or responsibility if they get the assessment wrong. So, 573,300 potential compromises = an "oopsie ...?"
- PCI puts all the security responsibility on the retailers and payment processors, but fails to address the antiquated (and vulnerable) payment system.
Again, fair questions all, and this time - once and for all -- the payment card industry and its partners need to adequately address them. Enough Hannafords, Heartlands and Network Solutions. Let's not add any more names to the list.