Opinion on the veto of AB779


I wanted to take an opposing view to David Lacey’s blog on California’s veto of AB779 – the bill to make a version of the PCI standard into State law. David’s view is that “in the absence of tough legislation, few organisations pay enough attention to the protection of customer data.” I agree with Arnie’s view that “the industry is better equipped than lawmakers to evaluate the need for higher standards.” In fact this is already happening in the form of the National Retail Federation who earlier this month sent a letter to the PCI Security Standards Council requesting “changes in how the credit card industry requires merchants to store credit card data. ” You can read it online here.

I also think I’m not far wrong in saying that in the case of PCI, many businesses have been taking very seriously the threat of financial penalties that the banks are starting to impose on merchants who fall out of compliance (Visa alone imposed US$4.6million worth of fines during 2006). That’s before we get to the fear of the reputational hit that comes with a credit card data compromise – legislation or not. Government legislation has not been needed.

I’m not disagreeing that tough legislation can work to focus efforts on security, just that I’m not convinced it’s actually necessary. I was giving a presentation recently to a business that is completely focused on ensuring that it protects data not because of legislation (although compliance with various bills and acts was obviously a driving factor) but because it wants to safeguard customer interests, and protect reputation and revenue. Get those efforts right and the business is likely to be compliant anyway.

What do you think?