Planet SCM

I've been on the road quite a bit the last few weeks, so I've been a little quieter on the blog front than I'd have liked.

In between my stops, I did pick up some of the fodder on the "Is PCI DSS Good or Bad" debate between Mark at Security Buddha and Michael at PCI Compliance Demystified. In full disclosure, I did attend the PCI Conference in San Francisco with Michael. I thought I had a pretty thorough grasp on PCI compliance, but Michael really knows his stuff.

A few points I'd like to make.

First, we have to remember the PCI Security Standards Council is still in its infancy as the standards body overseeing the PCI Data Security Standard. As a member of the Council, I had the opportunity to participate in a member webex. This was an initial effort to foster direct communication among the members of the group (who, by the way, make up a broad spectrum of the various constituencies the standard impacts (less consumers)).

Based on what I heard, I am confident there will be ample opportunity to communicate the weaknesses within the 1.1 version of the standard, so that continued improvements will be made. Can we say the same for Sarbanes-Oxley, HIPAA or GLBA? Who are the standards bodies (SEC, PCAOB, HHS, FFIEC, FTC) overseeing those compliancies soliciting for feedback? Anyone?

Second, and more importantly, while efforts to tighten up compliance standards so they will not just prove compliance, but a serious commitment to a secure environment, must continue, the real issue continues to be enforcement...and enforcement of penalties for non-compliance.

In pouring through some past issues of Network Computing, I came across Patrick Mueller's article on some recent FTC action related to a data breach of an insecure e-commerce server. Now, there's a lot of twists and turns to this particular story that are interesting, but the thing that stood out to me like a giant billboard was this: "It became the FTC's 14th data-security case." 1,400 wouldn't have surprised me. I might have done a double-take at 140. But, 14??

We're not even talking about non-compliance here. We're talking about breaches. I don't know about you, but I certainly read about a lot more than 14 of those...a month!

Once again, there is no accountability placed on organizations to take information security seriously.

Mike Rothman, in yesterday's Daily Incite, made a good point in his comments related to a piece on PCI Compliance Joel Dubin wrote for SearchSecurity.com.

Dubin did a good job capsulizing PCI, but spent the latter part focused just on the network scan and self-assessment. The reality is, as Mike pointed out, neither of these will necessarily improve your security.

At a minimum, regardless of your level, make a commitment to meet or exceed the standards in the auditor's document for PCI DSS.

As Mike says, and I agree wholeheartedly, if you adopt effective information security processes, you'll have no problem with PCI or any other compliance mandate.

Thanks to Mike from pcianswers.com for his recent comments to my post on PCI penalties not being stiff enough. I am thrilled that there are finally some carrots and sticks like Mike mentions in his recent blog.

But, how much is the one-time payment in the Visa CAP program? $10,000 a month? For you and I, that's a lot of money, but, to a large company ,it may be peanuts...or at least less expensive than the cost to comply.

To me, the best enforcement is by the CONSUMER. I would like to walk into a store or shop on-line and see some kind of sign that I would trust indicating that this merchant has been validated - a "Good Houskeeping seal" of some kind.

Conversely, I would like to know if the merchant is not compliant. As a consumer, I want to be informed so that I can make a decision to shop here or not. At the end of the day, it is about protecting consumers.

Give consumers the power to decide. That's my two cents.

Speaking of carrots and sticks, news stories are starting to give us some idea what TJX may be facing in fines as a result of their data breach. According to some stories, the amount could be in the half-million dollar range. A significant fine, to be sure, but, to my point above? What is that to a company like TJX? Not sure it's still a big enough stick, given the costs of covering the fraudulent purchases and replacement of millions of cards at $30 a piece. Evan Schuman talks about the lack of teeth in PCI on eweek.com this week.

What's your opinion?

This guy, Mike Rothman, knows what he is talking about. Mike's been going through his Daily Incite's for 2007 and yesterday he landed on PCI compliance.

If only securty standards and regulations were really taken seriously.

But, as Mike points out, there's...