Who's Afraid of PCI? No Need For Fear, Just Compliance

Who's Afraid of PCI? No Need For Fear, Just Compliance

When talking about data breaches and the need for security, whenever credit or debit cards are mentioned, the words "Payment Card Industry Data Security Standards" will appear. This apparently causes many in the financial services and retail industries to reach for that bottle of aspirin and a glass of water.

See Also: Find Your Way Out of the PCI DSS Compliance Maze

Retailers such as TJX already know the pain caused by non-compliance. Other retailers should think of taking time to secure their networks after reading the news from TJX that the large breach (47 million customer accounts compromised) from earlier this year will set TJX back an estimated $150 million.

Financial institutions are the core market of PCI, and according to PCI compliance expert Tony Bradley, "PCI-DSS applies almost universally. Almost every company is somewhere on the credit card process life cycle. They're either giving them, taking them, transmitting the information stored on them, storing the information on them." Bradley holds CISSP, ISSAP, MCSA, MCSE, MCP certifications and is also the guide for the Internet Network Security site on About.com.

For financial institutions, they're particularly very integrated with that process. They're issuing credit cards and debit cards that double as credit cards, and they certainly are handling data that is personally and financially sensitive. They have to be compliant with PCI-DSS," Bradley explained.

Bradley, the technical editor for recent book detailing PCI-DSS's baseline for credit card transaction security "PCI Compliance" noted, "One thing about PCI-DSS, it's not a law, it's a self-industry regulated guideline," he noted. There may not be teeth in terms of federal laws, but the Payment Card Industry can hurt a retailer, by taking away merchant status, he added.

Although credit card industry penalties can only be administered against the issuing bank, there are ways to get to the retailer, he said. "The credit card industry can't penalize the TJX, but the merchant banks that are processing them."

With banks [and credit unions] now filing lawsuits against TJX, Bradley sees this as the logical thing to do. "Banks are suing TJX, and rightfully so. Because of TJX, and the data breach, this forced them to reissue credit cards and the banks suffered losses from this, so they must pay," he said.

As for enforcement, Bradley sees "there needs to be more teeth put into enforcement, we're passing all of the deadlines for PCI-DSS compliance. In theory everyone should be compliant. But sadly, there are a lot of non-compliant merchants and other information holders that are still out there."

Bradley pointed out, "What financial institutions (and merchants) need to realize, PCI-DSS isn't rocket science. The things you have to implement are fairly straightforward and simple. So if there are merchants or financial institutions out there saying they don't have them, or can't implement these, well, then there are much bigger questions that need to be asked about their overall approach to and level of information security practices. If they can't be compliant on PCI-DSS, that means they're not doing a good job on information security, period."

There are only 12 requirements in the PCI-DSS, "Now, I'm not saying they're easy, PCI's requirements are not nearly as complicated as SOX or HIPAA, or more convoluted standards out in the banking industry. One of the things that I keep saying, not just for PCI, but for all these regulations is that the end game is not just to be compliant, but also to be secure," he said.

Because, Bradley concluded, "Compliance does not always equal security."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.