European disclosure ruling on the horizon?
Filed Under (Europe, Government, PCI DSS) by Rob Newby on March-19-2007

brussels.jpgI’ve just posted about Kenneth Belva’s latest article on my personal blog. I don’t want to repeat myself, but PCI in Europe is a case in point for the weight of reputational damage in driving security, but I think it also proves that it IS loss of reputation that drives people to comply, rather than financial liability.

PCI DSS in the US is driven hard by California’s data rulings, everyone complies with PCI DSS because they know they are protected from the big ugly monster of SB1386. In the UK and Europe, no such laws exist as yet, and PCI, with exactly the same rules, deadlines and effects, is still nowhere near as “complied with” as in the US.

The value of the data is usually weighed up against the cost of losing the data (I know Alex at Risk Analys.is will have something to say on this). If one is significantly out of line with other, we either get security, or more regulations have to be applied to back it up. We in Europe need another backup.

PCI is good, strong, it has the right ideas and motives, but it doesn’t cost enough to ignore. £500,000 isn’t enough for a big push, or even the big publicity to generate more talk around a big push. The loss of brand reputation absolutely is. Come November this year we should be seeing a shift towards PCI when a committee sits in Brussels to decide the future of the European Data Protection Directive. This time we are hoping for a disclosure clause, and PCI will become the facilitator that it has always promised to be.

Popularity: 21% [?]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
   Read More


Comments
datasecurity on March 19th, 2007 at 4:16 pm #

PCI does “cost” enough. Remember that the £500,000 is only for violation of the operating regulations from one card brand. The real cost for larger merchants can be see in the multiples.

Rob Newby on March 20th, 2007 at 12:43 am #

I don’t really think the multiples make a difference to the larger retailers (even if they do know about them), when the cost is such a small margin of their operating profit. When companies like Tesco are turning in £2.2bn a year, £3 million suddenly looks very small.
However, they are in a pretty tight market space where every little thing counts, even down to moving where the goods are placed in the shop. With their competitors announcing schemes to win back market share (”Making Sainsbury’s great again” - hmm) they need to do everything they can to protect their brand reputation.
I’m not saying that PCI can’t affect them, I wouldn’t be here if it didn’t, but hitting the brand is a far more effective way of making them comply and in turn promoting security.

bloginfosec.com » How might reputational damage be measured in Europe and elsewhere? on March 20th, 2007 at 4:05 am #

[...] Newby writes on PCI Compliance Demystified, writes “PCI in Europe is a case in point for the weight of reputational damage in driving [...]

datasecurity on March 20th, 2007 at 7:23 am #

I agree this is a good debate, and one that will ultimately decide the fate of compliance for super-stores like Tesco (UK) and Walmart (USA). Sure the increased size of the store increases their risk (i.e. more credit cards stored so a loss would be much greater) but until a large compromise happens there is no way to know if this philosophy really holds up.

TJX was a wake up call for many US based merchants. It may take such a compromise in the UK for merchants there to take serious notice of their risk.

Rob Newby on March 20th, 2007 at 9:34 am #

TJX was a classic case of getting it wrong and ignoring it even when warned. They really deserved to be fined, and to get the ensuing reputational bashing. You’re right, a big event like in the UK that would show why security matters, and that we don’t just push PCI because it’s fun. The UK has always had the classic “shutting the stable door after the horse has bolted” approach to security.
The thing which TJX also proves is at the moment, there is no such thing as perfect security. PCI pushes for strong policies, regular vulnerability testing, avoiding pitfalls like default passwords, and these are some of the most sensible things you can do in any security environment, but we still haven’t fixed everything with technology either.
Whichever way it eventually goes, I would rather these guys learned about PCI by being threatened with disclosure than by actually having to disclose something.

admin on April 26th, 2007 at 2:27 pm #

Article on “Brussels-inspired laws are passed, paving way for steps to cut fraud : Germany leads EU on disclosure rules”

Germany has become the first European Union country to pass more stringent, Brussels-inspired laws on financial disclosure, paving the way for wider adoption of regulations designed to curtail fraud in the financial industry

Paris is relaxing at PCI Compliance Demystified on April 27th, 2007 at 9:40 am #

[...] is slowly sinking in the affect SEPA (Single Euro Payments Area) will have on the PCI DSS market.  In a post that Rob mentioned in March (PCI awareness month) he hinted at something the card associations have [...]

Post a comment
Name: 
Email: 
URL: 
Comments: