If the Payment Card Industry Data Security Standard (PCI DSS) has done one thing, it’s been to highlight that there are such things as basic, good security practices.

That sounds like a bleedingly obvious statement, but lets look at this more closely. Why has, and why does, PCI DSS compliance continue to be such a challenge for most organisations? If good basic security controls were in place to begin with, PCI DSS compliance would not be as intimidating to organisations as it currently is now!

PCI DSS has copped a bit of criticism, but I’ll put it to you that the majority of those people and organisations doing the whinging are the ones who have adopted the lip service and/or head in the sand approach to security, (and, who more than likely are probably owned in one way or another now and are oblivious to it). Hey, chances are good. I know……we see it every day.

Importantly, PCI DSS should be recognised for what it has done and is doing in many parts of the world, (like Australia), where the regulatory environment has added little to nothing in terms of advice and enforcement of good security practices. Even for organizations not under an obligation to be PCI compliant, they could do worse than follow the PCI DSS.

If stories like the TJX compromise have done one thing, it’s been to highlight that all organisations are exposed to business threatening risks from IT and the Internet and need to get their act together in regards to IT Security and Risk Management.

Bleedlingly obvious again to all reading this no doubt, but let’s look at this more closely, using PCI compliance as the example.

Why are so many companies pushing back on compliance? Why are some companies willing to take the risk? Why are some willing to cop the fine for non-compliance? (Given the fines are miniscule relative to potential income/revenue, they believe it’s not worth the time and investment to become compliant). This is happening!

The stupidity of it is brought home in two points:

1. If you are storing, transmitting or processing credit card information, compliance is mandatory. Rules are rules, and if you want to continue doing it, you are obligated to play by the rules.

2. Regarding the fines, 5-10K fines are small in the scheme of things and may sound more attractive than the cost to become compliant. BUT, get hacked, breached, owned and you’ll be faced with potentially millions of dollars of costs and fines and most importantly, reputational and business threatening concerns. (Need we raise TJX again?)

So for anyone who is managing the PCI compliance program in their organisation and is struggling for buy-in from senior management, I would highlight the 2 points above.

Further, I would also recommend in such scenarios that you get the CEO or CFO to signoff on a policy exemption that acknowledges they accept the risk of non-compliance (and in the timeframes specified by the Acquiring Banks and PCI Members). Funny how some form of ownership and accountability may change how they view things.

Businesses are under real threats. Being ignorant of good practice will no longer cut it as an excuse.

No votes yet