Is PCI a Scam?
I had to ask myself this question after two years working with clients to help solve their PCI issues and seeing only a handful of fines being handed out to the poster children of a breach. Here is why I pose the question...
If I am an issuer of cards, why is it good business to bite the hand that feeds me in levying fines against those organizations who provide me revenue? Is the revenue that gets generated more fraudulent than legitimate so it is in my best interest to shut down the source of the fraud? If there was that much fraud because of the identity theft that is associated with fraud, isn't there anything else that the issuaing card companies can do besides hand out fines. It just seems like it is adding insult to injury.
If I am a level 2, 3, or 4 merchant, and I look at what it will cost me to get compliant both in terms of technology and access to expertise to implement a solution, why wouldn't I roll the dice and wait to be shut down, especially if the cost of compliance puts me out of business? I will say for the record that the level 2,3, and 4 merchants are the most at risk for a breach because of their restricted access to capital and expertise and that ability to pay for it, so they are in a no-win situation, are they not?
If I look at what the core of the issue is, it is the databases used to store data. So why not lock down, encrypt, and render virtually inaccessible the records in said databases and leave it at that? Why not simply say that IF you store data (not a great idea but I know organizations do it), be sure it is encrypted all the way down to the cell level. It won't matter if I can get access to the database and copy it since it will be rendered useless unless I have access to some serious computing power.
Can't the card companies incent Oracle, Microsoft, etc. to ship the encryption with their databases out of the box to make this happen?
If I am an issuer of cards, why is it good business to bite the hand that feeds me in levying fines against those organizations who provide me revenue? Is the revenue that gets generated more fraudulent than legitimate so it is in my best interest to shut down the source of the fraud? If there was that much fraud because of the identity theft that is associated with fraud, isn't there anything else that the issuaing card companies can do besides hand out fines. It just seems like it is adding insult to injury.
If I am a level 2, 3, or 4 merchant, and I look at what it will cost me to get compliant both in terms of technology and access to expertise to implement a solution, why wouldn't I roll the dice and wait to be shut down, especially if the cost of compliance puts me out of business? I will say for the record that the level 2,3, and 4 merchants are the most at risk for a breach because of their restricted access to capital and expertise and that ability to pay for it, so they are in a no-win situation, are they not?
If I look at what the core of the issue is, it is the databases used to store data. So why not lock down, encrypt, and render virtually inaccessible the records in said databases and leave it at that? Why not simply say that IF you store data (not a great idea but I know organizations do it), be sure it is encrypted all the way down to the cell level. It won't matter if I can get access to the database and copy it since it will be rendered useless unless I have access to some serious computing power.
Can't the card companies incent Oracle, Microsoft, etc. to ship the encryption with their databases out of the box to make this happen?
Labels: Database security, PCI, PCI Compliance
posted by Mark Mac Auley at 6:06 AM
0 Comments:
Post a Comment
<< Home