How tough will the Payment Card Industry and Acquiring Banks be on continued non-compliance with the PCI DSS?
March 3rd, 2008 Drazen Drazic Posted in PCI, PCI DSS, governance |
In 2008, PCI DSS finally seems to have some good traction (in Australia and New Zealand at least). Most organisations that should be compliant are now aware of the requirements imposed upon them - many still though are at the early stages. Compliance levels in terms of percentage of compliant organisations are still low from what we see but progress is being made - albeit slowly.
But, there are some organisations who are not budging and have decided that they will not be doing it. They have stated they see no business value in it, with costs of compliance not being worth their investment. As a rule, these organisations have been large companies who believe their value to the acquiring bank gives them the right to say no. (Under threat of taking business elsewhere should the bank push the point).
In cases like this that we have been exposed too, it’s generally been the case that the repercussions of non-compliance are fines that relative to business coming in are minimal. Few consider any reputational damage and larger fines should they be compromised. That surprises me in this day and age. There’s little fear that the PCI or banks will get tough with them.
So, what will the PCI and acquiring banks do in such cases? Is there enough awareness of the PCI DSS in all acquiring banks at senior levels and enough support of the program from them to want to get tough with customers that flatly refuse to play by the rules? Will PCI DSS compliance actually fail as a result of the banks as opposed to merchant and service provider support which most would have thought would have been the area that failed if there was a failure? This will be an interesting area to follow. If it falls down here, what motivation is there for anyone else to support the program?
Lets hope this does not happen.
March 4th, 2008 at 8:15 am
Heh, few consider the physical damage of crashing at 30km over the speed limit when they speed down the motorway. It’s all the same - obviously it’s not going to happen to them.
March 4th, 2008 at 8:45 am
Its BG’s Ostrich Risk Management 101 in action.
March 4th, 2008 at 9:11 am
It’s a tough one and some don’t realise that some of the banks themselves are struggling to get the right message out to the relevant organisations. (Struggling? Maybe to strong a word). Some I have spoken to within banks that are managing the PCI programs talk of the effort to get account managers on board to speak with their clients about PCI DSS. Same old problem….it’s not a revenue generating part of the business - it is disruptive potentially for that so it sits in the too-hard basket. The longer term benefits cannot easily be quantified so it’s perceived as a burden. Events like the TJX thing are easily forgotten by some.
March 5th, 2008 at 6:13 am
I’m finding this all very interesting. Banks, visa, and mastercard are the ones that suffer along with the consumer when card holder data is compromised. It is inconceivable that PCI DSS will fall by the way side. The cost of comprised card holder data,I feel, will push this through. As mentioned above. An interesting topic to watch
April 8th, 2008 at 7:17 pm
[...] I now need more than 2 hands to count the number of times an organisation has told me that they make too much money for the banks to have PCI DSS compliance forced upon them. It doesn’t matter what you say or what case studies you provide (eg; TJX and the millions it has cost them), it just does not hit home. They believe their size means they don’t have to play by the rules. As covered previously here. [...]
April 14th, 2008 at 10:37 am
Banks have the most Accountants on staff, yet maintain the least accountable position in society…acknowledging PCI would arise the need to be more accountable, it’s in their nature for them to steer clear of that