PCI DSS -- Good Isn't Good Enough


The Payment Card Industry (PCI) Data Security Standard (DSS) just does not seem to be working, and I don't see how it possibly could.


Last year credit card numbers were stolen from major companies including OfficeMax, Dave and Busters and, probably the most infamously, Heartland Payment Systems. Following a federal investigation, some of these companies were told that they were indeed the victim of a breach and must investigate. A few could not find any signs of a breach and therefore did not notify customers of the alleged breach.


The Federal Trade Commission (FTC) estimates that 50 billion is lost annually due to identity theft and credit card fraud. In response, 40 states have passed laws requiring companies to give consumers an early warning when their personal information is stolen. Companies have been reluctant to notify consumers due to loss of good will, embarrassment, or the possibility their stock might go down. This has got to change.


Heartland Payment Systems was recently returned to Visa's list of PCI DSS-validated service providers after completing its own PCI DSS assessment. As you may remember, Heartland was hacked last year in one of the largest breaches in history. The exact number of records stolen was not disclosed.


See, here is where I have the problem; the PCI DSS-guidelines are industry developed and administered guidelines and they just don't go far enough. The PCI DSS are basic security guidelines that every organization should be doing anyway. I would really have to question any organization that cannot meet these basic guidelines. There are even people out there that are pushing to lessen the requirements, putting us even greater risk. Implementing the standard is costly. Opponents argue that small organizations cannot afford to become fully compliant and PCI has driven some out of business. To that I say, too bad.


There is an expectation by the public that companies will properly handle their personal data. We have to go further than just the basics. We need to give the public world-class security to gain, and keep, their trust. Trust is earned, not expected.