Monday, June 02, 2008

So What? Does the Hannaford breach infer PCI is a waste?

This question has been on my mind for a few weeks, and I wanted to stir the pot a bit.

Hannaford was PCI compliant at the time of the breach, so what does this really mean?

Should a company spend millions up front, when it was documented that even though they were compliant, they had to spend millions more after the fact?

What does that say about the standard itself?

What fines are going to be handed out? Is proving PCI Compliance the 'Get out of Jail Free' card and so no fines will be doled out?

If I am a company, and have followed this one, why spend the money on getting PCI compliant when it appears that even if I am, the only downside is no fines. And if the fines are less than the remediation PLUS the compliance process, what's the value to me as a business of getting compliant, vs taking out an insurance policy for $300/record at risk?


pcistuff @

Labels: ,