Implications of non-compliance with PCI DSS…..

June 27th, 2007 Drazen Drazic Posted in Disclosure Laws, Dumb Security, PCI, PCI DSS, cyber crime |

Just got back from Singapore where we spent a day going through the most recent changes to the PCI DSS with the various members and PCI Security Standards Council representatives.

If you’re not up to speed with the latest revision of the changes, see the PCI Security Standards Council website. (Worth bookmarking if you’re not already). There are quite a few changes - mostly clarifications on existing standards to make the intent of the specific standards a bit more clear.

Look, I know the standard cops a bit of criticism, (mostly from people and organisations who’ve in the past never been as security minded as they should be), but it is evolving and lets face it, in many parts of the world where the regulatory environment adds little to nothing in terms of advice and enforcement of good security practices and controls (ie; Australia as one example), it’s the best and only thing out there. Even if you’re not under an obligation to be compliant, you could do worse than follow the PCI DSS. Related story from CIO Magazine.

A bit of discussion in Singapore was focused on organisations who have decided to approach compliance in “their own time”. Many companies, mis-guided and taking a big risk in their position, are willing to take the potential fines for non-compliance. Given the fines are miniscule relative to income/revenue, they believe it’s not worth the time and investment to become compliant.

Two points on that:
1. Compliance is mandatory. While the PCI members acknowledge the challenges to enforce compliance, and most importantly realise that it is a large undertaking for most organisations, rules are rules if you want to work with those members (and process card transactions).

2. Regarding the fines: 5-10K fines are small in the scheme of things and may sound more attractive than the cost to move to compliance BUT, get hacked, breached, owned, etc and you’ll be faced with potentially millions of dollars of costs and fines and most importantly reputational and business threatening problems. (Need we raise TJX again as but one of many examples?)

So for anyone who is managing the PCI compliance program in their organisation, and is struggling for buy-in from senior management, and/or faced with the position of small fines being acceptable, I would highlight the 2 points above. Further, and just putting it out there, I would also recommend in such scenarios that you get the CEO or CFO to signoff on a policy exemption form that acknowledges they accept the risk of non-compliance in the timeframes specified by the Acquiring Banks and PCI Members. (Ensure that all the risks of non-compliance are highlighted on the form). I’ve found when someone has to put their name to a position like this, there seems to be a greater likelihood of that position being re-assessed. (Ownership and accountability - we need more of it in IT Security).

Related Stories:

http://beastorbuddha.com/category/disclosure-laws/
http://beastorbuddha.com/category/pci-dss/