July 24, 2007

The Texas thing with PCI….

Texas passes a bill

So it seems that alot of the Accessors are excited about the fact that compulsory compliance is being considered in Texas.
For those of you that havent heard, the house of representatives in Texas have unanimously
passed a measure that would require PCI Compliance if you do business with the
state. Basically the bill states:

“A business that, in the regular course of business, collects, maintains, or stores
sensitive personal information in connection with an access device must comply with
payment card industry data security standards.”

Companies in violation of PCI rules can be fined and even lose the privilege of accepting
payment card transactions.

My Thoughts

My thoughts on this are quite conflicted.

On one hand

As a PCI level one assessor and QSA – Tevora is going to make a whole lot moremoney,
and get busier than the insanely busy we are right now.

On the other hand I am kind of insulted.How is the state going to tell you that
you cant accept credit cards unless get PCI compliant- oh and do it now.Dont
get me wrong, I love PCI but PCI is not perfect, and its definatly not easy. I would
even go so far as to say its not right for every business (blasphemy!).

The dirty little secret about PCI

For one thing,not every business is built the same and PCI does not offer a
risk based controls assessment of compliance.Its a one size fits all group of
“security best practice” guidelinesthat tries to be everything to everyone.

Currently the program can accuratly boast that not one “PCI compliant” merchant or
service provider has suffered a breach. The dirty little secret is that breachesdo
happen and they happen to companies that pass PCI compliancy. But since the standard
is so comprehensive and home to alot of manual processes that could
easily be overlooked, every company that is breached and investigated has been found
to be non PCI compliant at the time of the breach.(Yup, thats right: you didn’t
do “11.2.3.iii section 4″ on the day of the breach. You are not PCI compliant.)

But thats not the point. My problem is not PCI. PCI is a great standard. Its bettor
than anything else currently out there. Alot of things in PCI make a great deal of
sense.

Is regulation the answer?

My problem is not PCI, my problem is regulation. I have a problem with trying to legislate
compliance effort.

The whole reasonthat thecard companies adoptedPCIwas to get
in front of the data breachessuch that the industry doesn’t become
regulated.Free enterprise and competition is healthy in our country and every
time we regulate it, we ultimatly end up hurting the consumer in the long run. Self
regulation has been proven time and time again. I dont think that creating some arbitrary
threat is going to solve anything.

People forget that the card industry is a business like anything else. If it
makes fiscal sense for companies to comply with PCI then they will do it.Why?To
make a profit of course.The profit motive is the greatest motive a capatilist
society can instill on its people.

Haven’t we learned from Sarbanes Oxley? Come on, was it really worth it?Did
the problems of enron and worldcom go away because we jammed Sarbox down everyone
throats? If it did then why do we have options backdating scandals coming out of our
ears? Werent those exactly the kind of internal controls that Sarbox was supposed
to oversee?

Let it go

While I think the House Billis a good political stunt and is giving the people
what they want to hear after the recent data
security breaches
, I really hope that the State Senate in Texas doesnt take the
bait on this. PCI is a great standard, and I am more than happy to help my clients
through it; but the choice to become compliant and at what pace has to be between
the merchants and the aquirers.

If the acquirer is willing to accept the risk, and the merchant is prudent, I think
measures can and will be taken to protect customer
identity information without legislating it.

Then we as consultants are able to work with our clients in doing it right, why? because
its the right thing to do and its going to save them money and reduce fraud.

Forcing the issue down every merchants throat will only makePCI compliance a
nuciance and ultimatlysillylike HIPAA.
 (oh yes, HIPAA is verysilly).

– Ray Zadjmool