Friday, September 11, 2009

More thoughts on PCI DSS

Network Solutions, whose recent security breach exposed almost 600,000 cardholders, said "We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant." Here again is another example of the mindset to which I referred in my last post: PCI compliance does not equal security.

If PCI compliance doesn't equal security, does it equal culpability? Indeed, Heartland's CEO blamed the PCI QSA for the breach. Interestingly, Nevada in June passed a law that mandated PCI compliance for businesses that accept payment cards and provides that compliance will shield such businesses from liability for damages from a security breach.

As the breaches continue, let's recall Visa's statement after Heartland:

PCI DSS remains an effective security tool when implemented properly - and remains the best defense against the loss of sensitive data. No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. [emphasis added]

Good to know.


Post a Comment

<< Home