At a U.S. House of Representatives hearing yesterday, federal lawmakers
and representatives of the retail industry challenged the effectiveness
of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard
(PCI DSS). They claimed that the standard, which was created by the
major credit card companies for use by all organizations that accept
credit and debit card transactions, is overly complex and has done
little to stop payment card data thefts and fraud.
I disagree that the standard is overly complex – in fact most of it is straightforward, common sense information security. The reason it has proved to be ineffective is because organisations focus on ticking the compliance boxes rather than taking the holistic approach to security that’s needed. There’s enough ranting on this subject elsewhere – the best being on Anton Chuvakin‘s blog – and I have little to add.