Who's Afraid of PCI? No Need For Fear, Just Compliance
When talking about data breaches and the need for security, whenever credit or debit cards are mentioned, the words "Payment Card Industry Data Security Standards" will appear. This apparently causes many in the financial services and retail industries to reach for that bottle of aspirin and a glass of water.
Retailers such as TJX already know the pain caused by non-compliance. Other retailers should think of taking time to secure their networks after reading the news from TJX that the large breach (47 million customer accounts compromised) from earlier this year will set TJX back an estimated $150 million.
Financial institutions are the core market of PCI, and according to PCI compliance expert Tony Bradley, "PCI-DSS applies almost universally. Almost every company is somewhere on the credit card process life cycle. They're either giving them, taking them, transmitting the information stored on them, storing the information on them." Bradley holds CISSP, ISSAP, MCSA, MCSE, MCP certifications and is also the guide for the Internet Network Security site on About.com.
For financial institutions, they're particularly very integrated with that process. They're issuing credit cards and debit cards that double as credit cards, and they certainly are handling data that is personally and financially sensitive. They have to be compliant with PCI-DSS," Bradley explained.
Bradley, the technical editor for recent book detailing PCI-DSS's baseline for credit card transaction security "PCI Compliance" noted, "One thing about PCI-DSS, it's not a law, it's a self-industry regulated guideline," he noted. There may not be teeth in terms of federal laws, but the Payment Card Industry can hurt a retailer, by taking away merchant status, he added.
Although credit card industry penalties can only be administered against the issuing bank, there are ways to get to the retailer, he said. "The credit card industry can't penalize the TJX, but the merchant banks that are processing them."
With banks [and credit unions] now filing lawsuits against TJX, Bradley sees this as the logical thing to do. "Banks are suing TJX, and rightfully so. Because of TJX, and the data breach, this forced them to reissue credit cards and the banks suffered losses from this, so they must pay," he said.
As for enforcement, Bradley sees "there needs to be more teeth put into enforcement, we're passing all of the deadlines for PCI-DSS compliance. In theory everyone should be compliant. But sadly, there are a lot of non-compliant merchants and other information holders that are still out there."
Bradley pointed out, "What financial institutions (and merchants) need to realize, PCI-DSS isn't rocket science. The things you have to implement are fairly straightforward and simple. So if there are merchants or financial institutions out there saying they don't have them, or can't implement these, well, then there are much bigger questions that need to be asked about their overall approach to and level of information security practices. If they can't be compliant on PCI-DSS, that means they're not doing a good job on information security, period."
There are only 12 requirements in the PCI-DSS, "Now, I'm not saying they're easy, PCI's requirements are not nearly as complicated as SOX or HIPAA, or more convoluted standards out in the banking industry. One of the things that I keep saying, not just for PCI, but for all these regulations is that the end game is not just to be compliant, but also to be secure," he said.
Because, Bradley concluded, "Compliance does not always equal security."