Wednesday, October 24, 2007
Why PCI will accelerate the loss of personal data...
Figured I would share words of wisdom from Andy Steingruebl...
In the case of PCI what is ultimately being protected is a credit card number, and the $50 in liability an individual stands to lose if there is a breach. PCI doesn't cover all of the other data that users probably really care about, the data that can be used to get credit in their name, their purchase histories, privacy, etc. In that sense PCI has always been about protecting the VISA brand and financial institutions from fraudulent transactions. It wasn't ever about protecting customers. Sure it had a bit of knock-on effect in that companies that implemented security controls to achieve PCI certification were probably doing a good job, but there is pretty clear evidence that people that didn't have enough security *before* PCI didn't have it after. This isn't to argue against public policy that requires security controls, but simply that PCI was never going to be the way to achieve that. California SB1386 has probably done more in this area than anything else.
| | View blog reactionsIn the case of PCI what is ultimately being protected is a credit card number, and the $50 in liability an individual stands to lose if there is a breach. PCI doesn't cover all of the other data that users probably really care about, the data that can be used to get credit in their name, their purchase histories, privacy, etc. In that sense PCI has always been about protecting the VISA brand and financial institutions from fraudulent transactions. It wasn't ever about protecting customers. Sure it had a bit of knock-on effect in that companies that implemented security controls to achieve PCI certification were probably doing a good job, but there is pretty clear evidence that people that didn't have enough security *before* PCI didn't have it after. This isn't to argue against public policy that requires security controls, but simply that PCI was never going to be the way to achieve that. California SB1386 has probably done more in this area than anything else.
