PCI: DSS Petition

June 26th, 2007Geek, Work

Working on PCI: DSS at work atm, and I getting frustrated with the wishy-washy statements from our QSA and the PCI Council, that really don’t help me in convincing the exec that we need to take this seriously. They are under the impression that the PCI Council don’t really have any ‘teeth’ and so can’t really justify the spend to become PCI compliant, and in a way I agree.

So I decided to submit a petition on the petition website to ask that the government make it a legal requirement that companies become PCI compliant.

I don’t know if it will do anything but its worth a go, so when it gets approved and I get the URL, I will let you know what it is so you can sign it

4 Responses to “PCI: DSS Petition”

  1. port7 » Blog Archive » Sign my PCI: DSS Petition! Says:
    July 4th, 2007 at 10:39 am

    [...] metioned in a previous post I created a petition to the Prime Minister to make the PCI: DSS standards a legal requirement. This [...]

  2. Tim Holman Says:
    July 16th, 2008 at 6:28 pm

    Is your QSA still being wishy washy? :)

  3. Mark Says:
    July 16th, 2008 at 8:48 pm

    Yes but I think they are going to continue to do so until we get a stronger message from the PCI Council here in the UK. At the moment it’s difficult for companies to justify the budget needed for becoming PCI compliant.

    They are going to ask what happens if we don’t go through this and spend the money? A £5k fine per month? No thanks we will just pay the fine!

  4. Tim Holman Says:
    July 21st, 2008 at 4:58 pm

    The intent of the PCI Council is to provide an open global forum around card security with the overall aim of improving it. They’re not the ones who will be issuing fines or sending Visa a naughty list.
    If it’s monthly fines we’re talking about, then it would be Visa who would be imposing these fines on acquiring banks. The banks would then pass the fines onto non-compliant merchants.
    In the US a slightly different strategy has evolved, in that acquiring banks are offering discount rates to PCI Compliant merchants. However, if the merchant’s particularly big then the merchant will just tell the acquiring bank they’re going to switch, so again no real meat for PCI enforcement for large retailers.
    It’s always an interesting subject to talk about - wishy washy QSAs have always been buying time by blaming things on the PCI SSC, or waiting for clarifications on things they should already know about. The PCI SSC don’t really have the strength to enforce PCI DSS as they’re not the ones who are supposed to.
    As things stand, PCI Compliance is only ever relevant if you’re compromised. This is the one immutable risk that all businesses need to consider.
    Secondly, PCI Compliance MAY be relevant if fines are introduced. Something still worth putting on the risk register on a 6-12 month timeline.
    Merchants that do nothing are highly susceptible to the former risk and it follows that it’s completely sensible to start addressing major areas of security risk (which an ISO 27001 or PCI DSS gap analysis would identify).
    Working on the basis that PCI Compliance is only relevant if compromised, it’s important to take a risk based approach to PCI DSS and identify the systems, processes and policies that put a merchant at risk of compromise. Each and every component of PCI DSS can be replaced by a compensating control. If a particular control is too expensive (eg network segmentation), then perhaps stronger access control and security policies are the answer? Point is, if you’re hitting a financial hurdle then there’s probably another answer (other than buying 3rd party products)…
    We should have a chat sometime - I’ll be up your way in a couple of weeks. Not all QSAs are alike… :)

Leave a Reply

Icons by N.Design Studio. Designed By Ben Swift. Powered by WordPress and Free WordPress Themes
Entries RSS Comments RSS Log in