The Field Report with Tom Field

PCI: The Big Unanswered Question

PCI: The Big Unanswered Question

Question: Which companies claimed to be PCI compliant at the time they were breached?

It's become the familiar refrain this year. Each time we see a major data breach related to payment card data, the breached entity says 'Gee, well we were told we were PCI compliant - how could this happen?'

How many times can we continue to go through the dance of 'What is PCI compliance?' and 'Is it or is it not a viable security standard?' 

The PCI marketing machinery then gets into motion, reminding us all that PCI compliance is but a snapshot in time - not a warrantee against future breaches.

Meanwhile, tens of thousands of consumers have their personal information exposed to potential compromise. They probably don't know or care what PCI is. They just want to know 'Why wasn't I protected?'

Fair question, and it deserves an answer. How many times can we continue to go through the dance of 'What is PCI compliance?' and 'Is it or is it not a viable security standard?'

Frankly, it scares me to see the State of Nevada adopting PCI as its de facto privacy standard just months after the Heartland hack and weeks before Network Solutions announced its breach. Other states are likely to follow suit, and yet the information security industry is still arguing about the efficacy of the standard and those who assess it.

Linda McGlasson has just written a new piece about the Network Solutions breach and the PCI debate, and in it Gartner analyst Avivah Litan raises some key questions about PCI:

  • The standard relies largely on qualified data security assessors. But who watches the watchmen - who assesses the assessors?
  • Assessors bear no liability or responsibility if they get the assessment wrong. So, 573,300 potential compromises = an "oopsie ...?"
  • PCI puts all the security responsibility on the retailers and payment processors, but fails to address the antiquated (and vulnerable) payment system.

Again, fair questions all, and this time - once and for all -- the payment card industry and its partners need to adequately address them. Enough Hannafords, Heartlands and Network Solutions. Let's not add any more names to the list.

About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.