The Payment Card Security Shakedown

Michael Vizard

There is only thing worse than being threatened with having to pay protection money: paying for the protection and still getting robbed.

That's pretty much sums up how a lot of people feel about the Payment Card Industry Data Security Standard (PCI DSS) these days. Companies have spent millions of dollars on installing these technologies -- not to mention all the money being spent on auditors -- only to discover that security breaches keep happening anyway.

It might seem there's something fundamentally wrong with the way people are implementing PCI DSS. After all, it's a pretty complex undertaking, so getting it right is not easy. But the other side of the equation is that PCI DSS only covers a limited segment of the payment process. Clearly, a lot more work has to be done to secure the payment process beyond the scope of the PCI DSS standard.

For example, how the credit card data is stored, where it is stored and how much encryption should be employed to secure that data are things an IT organization needs to sort out. One thing everyone can agree on is that the PCI DSS process is tedious. So if all things are equal among vendors such as Thales, IBM, Oracle and Tripwire, then maybe you should choose the vendor who does the most to help automate the process. After all, a lot of the expense associated with PCI DSS goes for auditing the process. If the process is automated, chances are it will be done right the first time, and you'll spend less time, money and energy on the process.

Although some people question the efficacy of PCI DSS, we probably would be a lot worse off without it. But a lot of work remains to be done to streamline the PCI DSS process. Unfortunately, companies such as Visa, MasterCard and American Express who are setting the PCI specifications aren't doing the actual implementations. As a result, we're experiencing a lot of pain and frustration right now relative to the benefits, which is why so many companies are out of PCI DSS compliance. Making it easier to comply, without compromising the integrity of the standard, needs to job one of the entire PCI DSS community.

Add Comment      Leave a comment on this blog post
Oct 27, 2009 2:43 AM Daniel J. Doughty Daniel J. Doughty  says:

Until a commitment is made to have auditors be as tech savvy as the individuals implementing these policies, I don't think we'll ever be much closer to being secure.  With time and persistence, anyone can pass the current auditing standards, but as you mention that doesn't mean that we're actually any safer in the long run.  Every auditor I meet is very polite and trying earnestly to do their best but none of them really seem to know much more than excel. 

--these opinions are my own and do not reflect the policies of my employer

Sep 8, 2010 8:34 AM No More Mortgage No More Mortgage  says:

Paying for the protection and still getting robbed while performing payments through internet is a big problem for all and if this state continues the people shopping and purchasing through e-commerce and auction website will get reduced soon. The Payment Card Industry Data Security Standard too has many disadvantaged and security breaches are happening again and again even though companies spend millions for the PCI DSS. It's true that that PCI DSS only covers a limited segment of the payment process and so we have to develop a new system to secure the payment process beyond the scope of the PCI DSS standard.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.