Looking at the battering that PCI-DSS has gone through at a recent US Government Congressional hearing, one might assume that PCI-DSS is just not sufficient for protecting customer data. The congressional hearing is discussed here.
The question should not be WHETHER it is sufficient for protecting customer data, the real issue is are there any other efforts in the industry to define something along the lines of PCI?
PCI is the first standard that has been drawn by the council that includes banks and the credit card companies and is a strict requirement for any entities processing credit card transactions at a large scale. Now, the standard has some rules and requires the expertise of security auditors to evaluate the state of any entity.
Again, the quality of auditors is also critical to the success of the standard. There is a need to work further on the standard to figure out the loop holes and opportunities for improvement, based on the real world experiences from credit card breaches that have happened ever since the standard was introduced.
There is no second chance to any vendor who loses customer data. It is just not reputation that is at stake, it costs MONEY. :(
As I like to say, PCI-DSS is like SOX compliance with the sole exception being that SOX compliance is attainable.
PCI-DSS shouldn't be thrown away because it codifies a lot of security-related best-practices into a single guide that is relatively easy for someone to follow but the specification is still too "open-to-interpretation" right now. PCI-DSS needs much stricter "RFC-style" language: "SSLv2 MUST be disabled EVERYWHERE" or "SSLv2 MUST be disabled on sites where cardholder data is being transmitted and SHOULD be disabled everywhere else".
Post a Comment