nCircle.com >> 360 Security >> The Lens

« PCI: Is Compliance Really the Goal? | Main | Headline Entertainment »

The Law of PCI

Texas has passed a bill that makes PCI compliance a law. You can check out the text of the legislation here. The bill allows a financial institution to 'bring an action' against a business if they are in violation of the PCI DSS at the time of a breach. Interestingly, in order to 'file an action,' the financial institution must first request that the business provide certification of compliance with the PCI DSS and the business must provide that certification within 30 days.

In other words, the work flow that this bill establishes is as follows:
Assumption: Business is not PCI compliant, though it is required.
1. Breach occurs.
2. Financial institution finds out about it (see Texas SB122)
3. Financial institution requests PCI audit from business
4. If the business passes the audit, nothing happens. If the business fails, the the financial institution may be able to collect damages from it.

Let's consider how this interacts with the requirements of the card companies. Any business that's processing cards is already required to comply with the PCI DSS, so they should (given an appropriate merchant level) be audited annually already. This law adds an 'on demand' audit in the case of a breach. A business might be able to bring themselves into compliance and get audited within the 30 day window, but it would be really tough for an organization of any size.

Also interesting is the provision that a business is safe if they contract out to a third party for processing services, and obtain some assurance that the third party is PCI compliant. Such a provision pushes retailers in the direction of outsourcing card processing, in turn centralizing PCI enforcement further.

What we have here, ultimately, is an(other) attempt to push the liability closer to the party responsible for the risk. It makes sense, really. Any time responsibility (for damages, a breach, etc) and authority (to eliminate risk, add security) are separated, there's bound to be a problem.

Posted by Tim Erlin on May 15, 2007 9:43 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/215

Comments (1)

APM:

I am currently working for an organisation in Gibraltar that is working towards PCI DSS Compliance and the lack of laws related to PCI DSS is not helping. Currently, it's seen as a contractual issue and therefore not given the same weight as other legally enforceable compliance issues.

Linking PCI DSS compliance with a disclosure law of some sort would be the next step but that probably isn't going to happen here.

My situation is not helped by the fact that it is a privately owned company and therefore we do not have any listing rules and regulations to comply with either.

That said, I don't think PCI DSS itslef should be law, just this need to comply. This is because if it is turned into a law then this would inevitably slow down its development. In my opinion, the PCI DSS Standard needs to continue to evolve further and therfore slowing that process down would not be a good thing.

Posted by APM | May 16, 2007 12:13 AM

Posted on May 16, 2007 00:13

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on May 15, 2007 9:43 AM.

The previous post in this blog was PCI: Is Compliance Really the Goal?.

The next post in this blog is Headline Entertainment.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.33