Wednesday, March 25, 2009

In the Wake of Our PCI Discussion......... Once Again!

I was forwarded an article recently from a friend regarding a very interesting data breech for Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirru. In an article in the Australian IT publication, iTNews, Aussie stumbles on 19,000 exposed credit card numbers, the author describes how an innocent search on Google turned up 22,000 credit cards with all the attached necessary pieces of information...... name, address, CVV's, exiration dates..... also listed were the last transactions on the card!

I guess we are making some really fine progress with our PCI regulations. It appears to be working well..... NOT! Maybe it is time we give PCI a closer look to see what is working and what is really not and make some changes before the whole industry comes completely crashing down.

I think the biggest problem that is perpetuated by PCI is the false sense of security. The technology that is implemented in financial/PCI regulated establishments is prioritized by what fits the necessary requirements for PCI, not by what is needed in the business that will help to secure the posture of the organization.

It might be time to rethink where we are going with this, because the system is still not working.

As Earl Pitts says, "Wake Up America"!
Posted by at

3 comments:

  1. Anton ChuvakinMarch 25, 2009 at 1:55 PM

    "financial/PCI regulated establishments is prioritized by what fits the necessary requirements for PCI, not by what is needed in the business that will help to secure the posture of the organization."

    So, what parts of PCI happen to NOT "help to secure the posture of the organization"?

    ReplyDelete
  2. Jack ManciniMarch 26, 2009 at 6:49 AM

    My point is that PCI compliance becomes the tail wagging the dog. A false sense of security is achieved by using PCI compliance as the measurement for security within your environment.

    ReplyDelete
  3. Anton ChuvakinMarch 26, 2009 at 7:49 PM

    Ah, that's a good point, of course.

    If it goes like this:

    hate and ignore security -> got the need to do PCI -> do a barely passable job at PCI -> pass PCI -> think "OMG, I am compliant now!!" -> immediately think "Oh, I guess I am also secure"

    then things are indeed pretty f* up....

    ReplyDelete

Subscribe to: Post Comments (Atom)