What percent complete is your PCI project?
July 10th, 2008 Posted in Compliance
Everyone from politicians to economists track metrics and statistics. It’s the core of how we analyze the word and mentally quantify the world around us. Visa tracks merchant compliance statistics within the USA, but what about other regions? What’s happening around the world?
Rob Newby had some things to say about a recent survey performed of European companies. (To which I replied here.) Walt Conway just published his NABCU survey results. These surveys are all good, but many of them focus on the “percent complete” issue. It reflects the lethargy within a company if they are waiting to make a move before they see others around them doing anything.
Really, what does it mean to you as a company if others within your geographic region are 50% done with their PCI compliance project? Do you feel more momentum to do something if your company is on the tail end of a statistic and less if you’re on the leading edge? I suppose in Malcolm Gladwell’s book The Tipping Point is apropos here as he argues for the theory of critical mass in the adoption of any fad.
The difficulty is that these statistics mean little to the security of your company. How many Level 1 merchants were compliant when TJX, Hannaford, or Card Services were compromised? Did it really have an affect on their security that 20%, 50%, or 90% of similar companies had addressed their compliance requirements?
When it comes to compliance the only statistic that matters is yours! What have you done to reduce the risk of cardholder data loss at your company? What are you doing to protect your customers’ data? Do you even know where to start and what to do? If you have questions post them in the SPSP Forum.
Update: Gideon Rasmussen of Bank of America wrote the document “Beyond Minimum Compliance“. Documents named as such should show that, at least in the US, we reached critical mass long ago and people are not working now phase 2.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
6 Responses to “What percent complete is your PCI project?”
By Jack on Jul 11, 2008
I would also like you to inform about some more about IT Governance and Compliance
IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report. You can also get more information from http://www.compliancehome.com/symantec/
By wconway on Jul 11, 2008
Mike, I completely agree with your take on the meaning of this and other survey results. Knowing that half of your peers are compliant is only relevant if it makes you ask: am I compliant; where am I on the compliance track? Compliance is a one-zero state — you are or your aren’t.
By Michael Dahn on Jul 11, 2008
@Walt, my perspective is the micro-realist but surveys are for the macro-realist. It is true that many companies sit still until their is critical mass among their peers. I understand they don’t want to make a rash decision, but they should be sure their data is secure.
I like surveys because they help teach others where they stand, but in order to move forward some people must take the plunge. When it comes to data protection I would rather be on the forefront of that curve, one step ahead of the hackers, than behind it.
By Mary Fetherolf on Jul 15, 2008
I believe you meant to end with “… and people are NOW working on phase 2″?
PS check this blog a lot and find it very helpful - thanks.
By Michael Dahn on Jul 16, 2008
@Mary, thanks for your editorial skills and the praise.