Sunday, March 15, 2009

PCI and the Efficacy of Self Regulation

Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.

Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?

One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.


The said...
This comment has been removed by the author.
Metlin said...

William, from experience, I can tell you that it is really not.

A lot of people follow the standards of compliance well enough, but do not do enough to prevent any real security threats to credit card information. There is no use in preventing the odd theft of a credit card while losing millions in data thefts.

It's the letter of the law vs. the spirit of the law thing.

pci said...

I've just came across to your blog.
Helpful blog!

Apostille said...

Great blog.. Your posts have good content


Criminal Defense Attorney said...

I think the PCI should make strict rules for the companies who shares credit card information for payment. They should also be punished as information is cracked from their system.