We’re too important to bother with PCI DSS compliance…we make the banks too much money!

April 8th, 2008 Drazen Drazic Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, cyber crime |

I now need more than 2 hands to count the number of times an organisation has told me that they make too much money for the banks to have PCI DSS compliance forced upon them. It doesn’t matter what you say or what case studies you provide (eg; TJX and the millions it has cost them), it just does not hit home. They believe their size means they don’t have to play by the rules. As covered previously here.

Maybe it’s an Australian thing and they’re just not aware of what is happening elsewhere in the world. You never wish bad upon someone, but you sometimes do think; “yeah….why don’t you just keep testing your theory….lets see how nice the bank and PCI will be if/when something happens”. (Does that make me a bad person?) :-)

3 Responses to “We’re too important to bother with PCI DSS compliance…we make the banks too much money!”

  1. Declan Ingram Says:
    April 9th, 2008 at 7:24 am

    We can say this.. but really we need to be proved correct by the banks. Until that moment, what the large merchants are saying is true.

    The problem is, that if they are not a long way down the compliance path by the time the banks /do/ tell them - it will be an messy and expensive project indeed.

    So, in the long / medium term - are they saving any money ? No. None at all.

  2. cmlh Says:
    April 9th, 2008 at 9:48 am

    @Drazen Drazic,

    I have heard from various sources that the Retail Operations of a large majority of Australian Banks are yet to address PCI DSS.

    Perhaps you could direct the question back to them (i.e. Australian Banks)?

  3. Drazen Drazic Says:
    April 9th, 2008 at 6:56 pm

    @cmlh, while we talk with the banks, the focus of discussions is on merchants and service providers. We haven’t talked much about what they themselves are doing internally and I would guess, they would probably keep that information to themselves.

    From a Visa perspective (and I expect all others), all Visa members, whether an issuer or acquirer or both are required to be AIS/PCI compliant. At present still, I believe they do not need to demonstrate to Visa that they are. It is a compulsory part of Visa Int. Operating Regulations though. They have the same exposure as any other entity in the event of a data compromise.

    So I assume they are doing things. Sorry I can’t help more. Maybe some of our readers from the banks could add more.

    DD

Leave a Reply