Secure Payments, PCI DSS, Regulatory Compliance Blog

PCI 30-second Elevator Pitch

February 7th, 2007 by datasecurity Posted in Merchant, Service Provider

elevator.jpgMartin McKeay asks:

Does anyone have a good 30-second explanation of PCI? In other words, if you have a couple minutes in the elevator with the CFO of your company, how do you describe PCI and get him wanting to know more? Or, if your Aunt Beth wants to know what you do, how do you explain PCI in terms she can understand?

To which Adam Muntner of QuietMove has a good reply:

To Aunt Beth: “I prevent evil hackers from stealing your credit card
numbers.”

To CFO: “The credit card industry formed a self regulation group and set of security standards to keep the Feds off their back about fraud and consumer privacy. They have the contractual power to impose huge fines on companies whose customers card numbers get stolen stolen, and can’t demonstrate due care by following the the security standards. If we do get hacked but followed the rules to the letter, they can choose to not fine us at all, or opt to fine us less.”

Another good answer is to say that in addition to fines/fees there are also more critical penalties. The card associations/brands have the ability to restrict a company from processing their cards. This is what happened with CardSystems (CSSI) when Visa and MasterCard told them they could no longer accept their cards for payment. This effectively eliminated their ability to perform or process e-commerce transactions.

Additionally, you could tell your CEO/CFO/COO that starting on September 30, 2007 there will be immediate fines for companies that have not validated their PCI compliance.

[Source: Yahoo! PCI Group]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 4 Responses to “PCI 30-second Elevator Pitch”

  2. By Daniel on Feb 7, 2007

    To Aunt Beth: When you buy your knitting supplies, some evil man won’t go shopping with your bridge monet

    To CFO: With the way laws are currently being drafted, it will mean you staying out of club fed longer if you do make sure you are secure

  3. By Brendon Wilson on Feb 13, 2007

    Beyond being fined and losing the ability to be able to process credit cards, there is also the problem of cost recovery: not only will your company get fined, suffer the incalculable cost of reputation damage, it will also have to pay for the cost of replacing cards, notifications, and other activities conducted by the payment brand as a result of the breach.

  4. By datasecurity on Feb 13, 2007

    This is very true. I would point you to the post on the Visa’s ADCR program. Additionally, there are many other ways that acquirers and issuers will recover their money, many of them involve lawsuits.

  5. By Walter on Jun 8, 2007

    Elevator pitch… PCI is about protecting our BRAND. The risk is that you, Ms/Mr CFO come to work one morning and find yourself facing a film crew and TV lights asking why you allowed the bad guys to steal the credit cards and identities of your customers. The risk is that customers are reluctant to shop with us or trust us ever again.

Sorry, comments for this entry are closed at this time.