nCircle.com >> 360 Security >> The Lens

« But I Egress... | Main | Secure360 Conference »

It's Not Always About You

Earlier this week, someone asked me this question:

"What should the PCI Council be working on next to protect card holder data?"

I thought about this for a while, and decided that the only honest answer is nothing.

I will acknowledge up front that the PCI DSS is lacking in a number of ways, that it could be changed to better protect card holder data and that even a fully compliant merchant still puts card holder data at risk. I'll also ask this question, fair minded reader: Who cares?

As one who holds a few cards, I care. A merchant who wants my business *might* care, but only if they think that the strength of my conviction is such that I might not shop there. The PCI Council is the furthest from caring in this chain, and the successful adoption of the PCI DSS will only make them care less. How so? Well, it's all about revenue and liability.

The PCI Council represents the card companies, who are *gasp* in it for the money. For them, card holder data theft is a liability. It hurts their bottom line if they have to pay out and it hurts their bottom line if card holders don't use their cards. In other words, they can't make themselves liable and they can't make the card holder's liable; neither option is viable for their business. The PCI DSS allows them to place liability at the merchant, which is largely appropriate given their relationship to the card data.

The PCI DSS protects two ways:

pci_liability.png

Basically, the merchant chooses one of two states: Compliant or Non-Compliant. If they're compliant, then they're less likely to have a breach and compliance can also instill card holder confidence. If they're non-compliant, then they're electing to take on the risk and liability of any breach that occurs. In either circumstance, the card companies have successfully limited their liability.

Hannaford, Hannaford, Hannaford. I know what you're thinking. What about a compliant merchant that experiences a breach?! Well, here's the test. Theoretically, Hannaford shouldn't be liable. I'd argue that it's in the card companies best interest to pay out in this case. They solidify the positioning of PCI and probably increase adoption by merchants too. We'll just have to wait and see how it plays out.

Posted by Tim Erlin on April 2, 2008 7:07 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/263

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on April 2, 2008 7:07 AM.

The previous post in this blog was But I Egress....

The next post in this blog is Secure360 Conference.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.35