Loosing faith in PCI enforcement
Whilst PCI-DSS is mandatory for compliance when an organisation processes, transmits and stores Credit Card data. It is up to the acquirer (the banks) to enforce the merchants (businesses taking CC transactions) to measure the compliance against PCI-DSS. This information is then passed on to the card brands as a report on the status of compliance of it's merchants against the standard.
The reason I have lost some faith as it became known to me that one large organisation doing millions of CC transactions who are not PCI compliant choose to pay the fines instead of ensuring they comply with the standard as it was cheaper in the short term.
What is the cost of non-compliance fine well don't forget the acquirer decides this but one customer is only fined $20,000 a year. Which for them is a very very small amount compared to the revenue they are making from taking CC transactions.
Lets hope these fines increase to the point where security actually starts getting some real attention by C-Levels.
posted by Chris Gatford @ 11:36 AM
4 comments
4 Comments:
Chris, the fines are nothing as you mention but what needs to be communicated to those organisations is that the cost of a breach and that organisation not having "safe harbour" is going to cost a lot more. We're talking in the millions now eg; TJX, Hannaford etc.(Not even talking reputational damage).
In Australia, PCI DSS has a long way to go!
Yes trust me I pushed the all the extra costs. But to no avail I guess that the people making the decision just wanted the immediate problem to go away. Hence they really don't care about having a secure environment. Shame really lets hope that the Banks get more serious and hand out bigger fines to force these companies to take action ...or a major major hack to shake up Australian companies.
The banks have been the main reason in my opinion for the slack uptake. Some have done it well, others far less so - some have barely begun! Have been in the middle of drafting a post about this for while with one of the points being;
"Communication of compliance requirements to organisations, is in my opinion, the reason why PCI DSS compliance in Australia lags well behind the US. While the Payment Card brands are steadfast in their position about PCI DSS compliance, at the Acquirer level, things change dramatically and depending upon who the organisation’s Acquirer is, determines how aware of, and how seriously PCI DSS compliance requirements are acknowledged and understood by the organisation. Thus, two similar organisations in the same sector having differing views of, and approaches to PCI DSS compliance.
Incentive is the driver for any action. If there is no clear incentive – whether a positive or negative incentive (eg; fines for non-compliance), an organisation is not going to do anything. Why would you? If the obvious incentive to be more secure is not clearly evident as a reason to move towards PCI DSS compliance, then it's a tough sell."
Re: fines - if one bank is passing on the fines and another isn't, the inconsistency is going to be to the detriment of advancing the program as a whole - potentially even making it go backwards.
End of the day, many companies believe they are too important to the banks and thus can do what they like. Are they really big enough for the payment card brands to make an exception for them? :-)
I've met a couple also and there's not much you and I can do aside from ensuring we've fully briefed them on the consequences.
I just read your comments on PCI. In my line of work, we perform external audits and I am amazed at the number of IT managers in the finance industry who have little knowledge of PCI. Education seems to be severely lacking in Australia.
Post a Comment
<< Home