Comments on: PCI: DSS Petition http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/ life and times of a geek home Tue, 16 Aug 2011 20:20:36 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Tim Holman http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/comment-page-1/#comment-26557 Tim Holman Mon, 21 Jul 2008 15:58:32 +0000 http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/#comment-26557 The intent of the PCI Council is to provide an open global forum around card security with the overall aim of improving it. They're not the ones who will be issuing fines or sending Visa a naughty list. If it's monthly fines we're talking about, then it would be Visa who would be imposing these fines on acquiring banks. The banks would then pass the fines onto non-compliant merchants. In the US a slightly different strategy has evolved, in that acquiring banks are offering discount rates to PCI Compliant merchants. However, if the merchant's particularly big then the merchant will just tell the acquiring bank they're going to switch, so again no real meat for PCI enforcement for large retailers. It's always an interesting subject to talk about - wishy washy QSAs have always been buying time by blaming things on the PCI SSC, or waiting for clarifications on things they should already know about. The PCI SSC don't really have the strength to enforce PCI DSS as they're not the ones who are supposed to. As things stand, PCI Compliance is only ever relevant if you're compromised. This is the one immutable risk that all businesses need to consider. Secondly, PCI Compliance MAY be relevant if fines are introduced. Something still worth putting on the risk register on a 6-12 month timeline. Merchants that do nothing are highly susceptible to the former risk and it follows that it's completely sensible to start addressing major areas of security risk (which an ISO 27001 or PCI DSS gap analysis would identify). Working on the basis that PCI Compliance is only relevant if compromised, it's important to take a risk based approach to PCI DSS and identify the systems, processes and policies that put a merchant at risk of compromise. Each and every component of PCI DSS can be replaced by a compensating control. If a particular control is too expensive (eg network segmentation), then perhaps stronger access control and security policies are the answer? Point is, if you're hitting a financial hurdle then there's probably another answer (other than buying 3rd party products)... We should have a chat sometime - I'll be up your way in a couple of weeks. Not all QSAs are alike... :) The intent of the PCI Council is to provide an open global forum around card security with the overall aim of improving it. They’re not the ones who will be issuing fines or sending Visa a naughty list.
If it’s monthly fines we’re talking about, then it would be Visa who would be imposing these fines on acquiring banks. The banks would then pass the fines onto non-compliant merchants.
In the US a slightly different strategy has evolved, in that acquiring banks are offering discount rates to PCI Compliant merchants. However, if the merchant’s particularly big then the merchant will just tell the acquiring bank they’re going to switch, so again no real meat for PCI enforcement for large retailers.
It’s always an interesting subject to talk about – wishy washy QSAs have always been buying time by blaming things on the PCI SSC, or waiting for clarifications on things they should already know about. The PCI SSC don’t really have the strength to enforce PCI DSS as they’re not the ones who are supposed to.
As things stand, PCI Compliance is only ever relevant if you’re compromised. This is the one immutable risk that all businesses need to consider.
Secondly, PCI Compliance MAY be relevant if fines are introduced. Something still worth putting on the risk register on a 6-12 month timeline.
Merchants that do nothing are highly susceptible to the former risk and it follows that it’s completely sensible to start addressing major areas of security risk (which an ISO 27001 or PCI DSS gap analysis would identify).
Working on the basis that PCI Compliance is only relevant if compromised, it’s important to take a risk based approach to PCI DSS and identify the systems, processes and policies that put a merchant at risk of compromise. Each and every component of PCI DSS can be replaced by a compensating control. If a particular control is too expensive (eg network segmentation), then perhaps stronger access control and security policies are the answer? Point is, if you’re hitting a financial hurdle then there’s probably another answer (other than buying 3rd party products)…
We should have a chat sometime – I’ll be up your way in a couple of weeks. Not all QSAs are alike… :)

]]> By: Mark http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/comment-page-1/#comment-26551 Mark Wed, 16 Jul 2008 19:48:19 +0000 http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/#comment-26551 Yes but I think they are going to continue to do so until we get a stronger message from the PCI Council here in the UK. At the moment it's difficult for companies to justify the budget needed for becoming PCI compliant. They are going to ask what happens if we don't go through this and spend the money? A £5k fine per month? No thanks we will just pay the fine! Yes but I think they are going to continue to do so until we get a stronger message from the PCI Council here in the UK. At the moment it’s difficult for companies to justify the budget needed for becoming PCI compliant.

They are going to ask what happens if we don’t go through this and spend the money? A £5k fine per month? No thanks we will just pay the fine!

]]> By: Tim Holman http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/comment-page-1/#comment-26550 Tim Holman Wed, 16 Jul 2008 17:28:54 +0000 http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/#comment-26550 Is your QSA still being wishy washy? :) Is your QSA still being wishy washy? :)

]]> By: port7 » Blog Archive » Sign my PCI: DSS Petition! http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/comment-page-1/#comment-6869 port7 » Blog Archive » Sign my PCI: DSS Petition! Wed, 04 Jul 2007 09:39:39 +0000 http://www.port7.co.uk/index.php/2007/06/26/pci-dss-petition/#comment-6869 [...] metioned in a previous post I created a petition to the Prime Minister to make the PCI: DSS standards a legal requirement. This [...] [...] metioned in a previous post I created a petition to the Prime Minister to make the PCI: DSS standards a legal requirement. This [...]

]]>