My Fast Cash Instant Approval
Credit Cards
Travel Reward
Credit Cards
Prepaid
Debit Cards
Bad Credit
Credit Card
Business
Credit Card
Student
Credit Cards

February 20,2009

  • Is PCI Compliance Defunct Already?, Pt.3
      What does it do?

    Previous...

    Ms. Hellman goes on to explain the implausibility of creating total credit card security over a "universal checklist of items." In any business, risk control must be balanced against business impact. What happened with the credit card breach at Heartland demonstrates the tendency that the harder a business tries, the harder the thieves try. It's kind of like an ‘arms race'. The tighter you make security, the more sophisticated the attacks become. What PCI compliance aims to achieve is to implement credit card data "encryption over sensitive data where-ever possible and reasonable and complimenting those data level controls with monitoring where they cannot," according to Ms. Hellman.

    At the time of the credit card breach, Heartland was PCI compliant. Of course, they still are. They had just passed an inspection last April. They were in PCI compliance all the while this breach took place. This credit card breach was so sophisticated that it required teams of experts just to find something they now knew about. How practical would it be to employ expert security teams around the clock at every business in case there is something that no one suspects is even there? It would be a little like confining all Americans to their homes forever, just to be sure there's never another 9/11. PCI compliance goes a long way but, can never guarantee against the extremes. Compliance does not equal security.

    Consider also that, the intention of PCI compliance is to act as a baseline. It is an assurance that there are no flagrant credit card security leaks. That, in and of itself, covers thousands of businesses. However, all they mandate is the minimum standard of security. They set the standard for a ‘level of preparedness'. For example, one of the mandates called ‘Requirement 1' demands a firewall. Of course, this is already standard procedure for almost every business having inter-connections to the ‘outside' or even between departments. Even though nearly all businesses would already do this out of common sense, it now a requirement to be sure that all comply.

    Continued...
    Back to Articles Main Page