07.10.09
PCI does not mean good security!
Fact: Heartland had successfully passed the PCI audit requirements, yet was hacked. And if it was the only case… but it was not.
Do not get me wrong. The PCI standards are definitely a step in the right direction. The industry, and by that I mean card issuers, transaction acquirers, merchants need to smarten up. Card payment is a necessity in this day and age. It is convenient for all parties involved in a payment transaction. Do you think we could revert back to bartering (how many goats again for this flat screen TV?)? How about walking around with $2,000 cash in $20 bills to pay for this TV? Or should we go back to cheques (who would assume the risk, what are the costs)? The industry needs to embrace the necessity to protect cardholder data, otherwise cardholders will lose faith in the system. Or worse, politicians will regulate the system. Bruce Schneier has been saying for years that the best way of getting rid of poor security is to sue the culprits for software liability; see http://www.schneier.com/blog/archives/2007/08/house_of_lords_1.html for an example. Why not extend this reasoning to the payment industry?
But PCI is only a part of the solution. And Heartland is a prime example of this point. All stakeholders in the payment system must take a holistic approach to the protection of sensitive data. PCI compliance needs to be a part of the security posture of all stakeholders, not just going through an audit and having all of the check marks in the proper columns. The security posture itself must be designed from the start to protect data. Stakeholders are entrusted with information they do not, or should not, own. Stakeholders, as part of their fiduciary obligations, should do the utmost to protect this information.
There are solutions out there that take a holistic approach to the protection of data. Contact me if you need information; I will try and help as much as I can.
René