PCI Compliance Hits Mainstream
Traveling and talking to customers the last few weeks I did pick up some of the fodder on the "Is PCI DSS Good or Bad" debate between Mark at Security Buddha and Michael at PCI Compliance Demystified. In full disclosure, I did attend the PCI Conference in San Francisco with Michael. I thought I had a pretty thorough grasp on PCI compliance, but Michael really knows his stuff.
A few points I'd like to make.
First, we have to remember the PCI Security Standards Council is still in its infancy as the standards body overseeing the PCI Data Security Standard. As a member of the Council, I had the opportunity to participate in a member webex. This was an initial effort to foster direct communication among the members of the group (who, by the way, make up a broad spectrum of the various constituencies the standard impacts (less consumers)).
Based on what I heard, I am confident there will be ample opportunity to communicate the weaknesses within the 1.1 version of the standard, so that continued improvements will be made. Can we say the same for Sarbanes-Oxley, HIPAA or GLBA? Who are the standards bodies (SEC, PCAOB, HHS, FFIEC, FTC) overseeing those compliancies soliciting for feedback? Anyone?
Second, and more importantly, while efforts to tighten up compliance standards so they will not just prove compliance, but a serious commitment to a secure environment, must continue, the real issue continues to be enforcement...and enforcement of penalties for non-compliance.
In pouring through some past issues of Network Computing, I came across Patrick Mueller's article on some recent FTC action related to a data breach of an insecure e-commerce server. Now, there's a lot of twists and turns to this particular story that are interesting, but the thing that stood out to me like a giant billboard was this: "It became the FTC's 14th data-security case." 1,400 wouldn't have surprised me. I might have done a double-take at 140. But, 14??
We're not even talking about non-compliance here. We're talking about breaches. I don't know about you, but I certainly read about a lot more than 14 of those...a month!
Once again, there is no accountability placed on organizations to take information security seriously.
Take it for what it's worth.
About Endpoint Management Community Blog
The Endpoint Management Community Blog is the perfect place to share short, timely insights including product tips, news and other information relevant to the Endpoint Management community. Any authenticated Connect member can contribute to this blog.