Banks pushing back on costs for breaches….

June 27th, 2007 Drazen Drazic Posted in Disclosure Laws, Dumb Security, PCI, PCI DSS, WTF, cyber crime |

This is a topic that has been hotting up in recent times, and this story today from CIO provides further insight into possible directions this will take; “Banks Say Share of Credit Card Security Costs is Unfair“.

What I find interesting from this article are the following quotes:

Vanessa Pegueros, US director of compliance services at AT&T, contended that banks are “thumbing their noses at the PCI regulation, so we are paying the price.”

“We were doing a good job — maybe not as fast as some would like, but we were on a plan and trying to meet the [PCI] requirements,” Pegueros said. “But [Visa is] trying to take a hard-line approach, and we’re caught in the middle. Now we have to adjust our plans.”

Gartner analyst Avivah Litan agreed that banks are not yet taking adequate measures to comply with the PCI standards.

“There has not been a lot of enforcement at the bank level,” she said. “All the enforcement scheduled has been on the processing and retailer side, so it has been unfair, frankly.”

Litan said retailers are upset because they believe that they are being held to a higher standard than banks in securing their systems.

Are some of these guys serious? This thinking is a classic example of compliance with the PCI DSS and good security being seen as two different things altogether. Security going one way and compliance in another direction. How can these excuses be taken as anything but a joke. If you had good practice security controls in place to begin with, the PCI DSS wouldn’t be as big an issue to you. The expectations from PCI DSS compliance is good security - nothing in there is radical or new. Correct me if you think I am wrong.

Worry about your own shop first and foremost. Bob Russo at the end sums it up best:

“This should not be a blame game,” he said. “The bottom line is everyone who touches consumer payment card data has a responsibility to secure it.”

And the story continues…….stay tuned…..I have a feeling some of the arguments against PCI DSS will become even sillier.