PCI at the House of Representatives

From Computerworld.

At a U.S. House of Representatives hearing yesterday, federal lawmakers

and representatives of the retail industry challenged the effectiveness

of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard

(PCI DSS). They claimed that the standard, which was created by the

major credit card companies for use by all organizations that accept

credit and debit card transactions, is overly complex and has done

little to stop payment card data thefts and fraud.

I disagree that the standard is overly complex – in fact most of it is straightforward, common sense information security. The reason it has proved to be ineffective is because organisations focus on ticking the compliance boxes rather than taking the holistic approach to security that’s needed. There’s enough ranting on this subject elsewhere – the best being on Anton Chuvakin‘s blog – and I have little to add.