PCI-DSS is an interesting standard. With multiple stakeholders supporting the transaction process, as explained very well in Martin Mckeay's post, it is a tough balancing act that the card brands have to play with the service providers like Global Payments and the merchants and most importantly the consumers. After all, the consumers are the ones that keep the systems and services of payment card transactions alive by putting their trust in the whole system. This has led to removing Global Payments from the list of compliant service providers.
There are PCI-DSS lovers and haters, so a breach like Global Payments is a good opportunity to raise questions and discuss views, especially in the security community. From a merchant and service provider's perspective, Alan Shimel raises a good point on the trust in the PCI system and what does it hold for the merchants and service providers.
Other interesting coverage on this is at WSJ and SCMagazine.
The card brand moved much faster removing Global Payments from the list than it did when another processor, Heartland Payment Systems, announced a breach of some 100 million card numbers in January 2009. In that case, Visa expelled Heartland from the list about two months later, but Heartland re-validated compliance within roughly six weeks.
In the case of Heartland, Visa told merchants that, despite the processor being temporarily removed from the list, they faced no fines for continuing to do business with it.
The above extract from the SC Magazine link is thought provoking. Will Global Payments follow this route and be back on the list in a few months?
With the number of data breaches happening everyday, is today's consumer even bothered? The emphasis on service always comes before the security, both in business and for the consumer. It is only when such incidents occur that the lessons are learnt. For businesses, compliance with a standard is definitely not the panacea, but if done with intent, I believe it will help remove the low hanging fruit. Security is about defence, in depth.
No comments:
Post a Comment