While the credit card companies have been pushing to get all companies that accept credit cards for payments compliant with the now well known payment card industry data security standard (PCI-DSS), there is still little enforcement especially for those smaller merchants. Merchants are broken down into 4 categories. Tier 1 merchants are very large performing more tha 6 million transactions each year. Tier 2 perform between 1 and 6 million. Tier 3 between 20,000 and 1 million, and lastly Tier 4 that do less than 20k. Smaller organizations have been reluctant to implement everything they need to do in order to be PCI compliant due to the time, cost, and expertise required.
For those companies that do business in the state of Nevada, it will soon be required by law to be PCI-DSS compliant. Nevada passed a law that goes into effect January 1, 2010 that will make this mandetory. Of course it was mandetory before, but I believe this will add additional penalties to those that are not compliant. It should also be a strong reminder for those that keep putting this off, that PCI compliance is not going away.
http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html
While PCI-DSS is not perfect and truly doesn’t go far enough in many aspects of data security, it is a good first step because it requires those that do interact with sensitive consumer and customer data to reach a minimum level of complaince and at least be cognative of data security. It should be noted that for most companies this isn’t enough however. I am somewhat encouraged by Heartlands response over the past few months in response to their data security breach (while likely the largest in history), they seem to be taking steps to reach an adequate level of security. For example, they are implementing end to end encryption which is not specifically called out by the PCI DSS. While, I was not at all impressed with the way in which Heartland announced their breach (“coincidentally” at the same time as Obama’s inaguration), I am glad to see they aren’t taking the same approach now.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=340371
Despite the good things that PCI-DSS does, there is a lot of negative feedback regarding the cost and effectiveness of PCI-DSS. As a result, the PCI Council is eliciting feedback to improve the standard. It is true that merchants will have to spend some money to be more secure, but frankly, this is over due. Merchants do not like spending money on these types of things…especially when the economy is like it is. The bigger problem is that companies and people get it in their mind that if they are compliant…they are secure. And these are very different things. Being PCI compliant does not mean you will not be hacked. Just ask all the companies that have had breaches in the last couple of years even though they are PCI compliant including Hanaford and Heartland.
http://www.scmagazineus.com/PCI-DSS-standards-to-face-open-comment/article/138998/
