Secure Payments, PCI DSS, Regulatory Compliance Blog

PCI will not bake you bread

November 18th, 2007 by admin Posted in Uncategorized

bread.jpgOne of the eternal issues people raise about PCI is that it is not perfect. People point out flaws, which are then corrected or explained through interpretation. But this is normal and fully expected. It’s when people expect PCI to somehow be the ubermensch of compliance programs — that somehow it is flawed if it does not do everything, even bake me bread — that is when I sigh.

Here are some things that PCI does not (and is not meant to) do:

  1. Prevent all data compromises. The goal of PCI is to prevent the electronic and paper theft of credit card data. It does not prevent credit card skimming, an employee writing down credit card numbers and taking them, or other unscrupulous methods of fraud.
  2. Police the Internet. Some people feel that PCI should provide not only the rules and enforcement for data security, but also act as a universal arbitrator for all things data security related.
  3. Enforce Biblical Rule. PCI is not meant to enforce the, “thou shalt not lie” concept. The ha.ckers.com group wrote about how to “subvert” PCI, but it’s not special to PCI. Can you fool your FDIC examiner into thinking you are GLBA compliant by lying to them? Can you fool your CPA auditor into thinking you are SOX compliant by feeding them false data? Sure - what’s new?

Update: See also comments here from the Belgians. Algemeen reminds us about what I mentioned in rule #1. But if you are spending the money to secure your credit card data why not extend that security infrastructure, at minimal additional cost, to protect all personally identifiable information (PII).

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 3 Responses to “PCI will not bake you bread”

  2. By Mike on Dec 1, 2007

    I feel that big companies should try to spend some resources on adhering to standards like PCI to avoid such security breach. Enforcing these standards will help them to comply with many other regulations also. A crosswalk poster between different regulations is a very useful tool for IT & compliance team member, specially when it is available at no cost. This poster is crosswalk between: ISO 17799, COBIT 4.0, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/

  1. 2 Trackback(s)

  2. Jan 29, 2008: PCI DSS Compliance Demystified » Blog Archive » What is PCI all about?
  3. Oct 31, 2008: PCI Blog - Compliance Demystified » Blog Archive » Skimming not a violation of PCI DSS

Sorry, comments for this entry are closed at this time.