Comments on: National Retail Federation takes aim at PCI DSS Council

By: Home Security Systems

Home Security Systems — Thu, 27 Mar 2008 05:42:46 +0000

Home Security Systems

This takes on special significance given Al Qaeda’ s recent pattern of strikes associated with elections or political transitions. The United States faces increased risk of another attack over the next year and a half, which will make the transition …

By: PCI DSS Compliance Demystified » Blog Archive » Retailers do not need to store credit card data

Thu, 11 Oct 2007 23:55:51 +0000

[...] There has been a lot of conversation about what David Hogan, CIO of the National Retail Federation (NRF), has said in his letter to the PCI SSC. The famous quote people have been carrying is (copy of letter): All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. [...]

By: Network Security Podcast: Episode 80 | securosis.com

Network Security Podcast: Episode 80 | securosis.com — Wed, 10 Oct 2007 15:54:35 +0000

[...] Techtarget: National Retail Federation takes aim at PCI DSS Council [...]

By: Security News » Merchants mad about credit card retention

Security News » Merchants mad about credit card retention — Tue, 09 Oct 2007 19:04:04 +0000

[...] The latest complaint against PCI and the PCI Security Standards Council is that securing the data is too hard, too expensive and that PCI requires them to retain the data for too long. Their logic is that if they didn’t have to keep credit card data in the first place, then the hackers would have no reason to be attacking merchants in the first place. And their logic is good, at least in part; if they could remove credit card data from their systems, then attackers would see a lot less value in targeting merchants. Of course, we’d still be seeing at least some of the attacks, since hackers have been attacking large networks for their resources as long as there’s been an Internet. [...]

By: Karl

Karl — Mon, 08 Oct 2007 17:27:20 +0000

If anything, PCI doesn’t go far enough. For starters, security breach reporting isn’t law at the Federal level (yet). The US is behind most of the civilized world in this respect.

PCI is another attempt at self-regulation by the very companies that ignored the problem for years in the name of profit. PCI is better than nothing, but still not required by law.

In the US, if the threat of fines or jail time aren’t present, many will ignore such efforts. When consumer protections become law, business inevitably cries foul.

Merchants will experience some pain and anger as a result of years of disregard for privacy & security. While it is true that Consumers frequently do not follow even basic identity theft guidelines, they place only themselves and their families at risk.

Merchants, banks, transaction processors & card issuers who don’t encrypt and/or follow good security practices endanger the trust required for the concept of credit cards to work in the first place.

While I like profit as much as the next person, there are some issues that transcend our right to make money at all costs.

Some states have introduced bills that go further, to extend requirements on merchants. For example, California has introduced:

AB 779 – Data Breach Notification, Identification, and Restitution – As consumer data breaches and identity theft grow in scope and quantity, consumers need to know exactly who is failing to adequately protect their personal information. For example, TJ Maxx stores parent company allowed 45.6 million credit card numbers to be stolen electronically. AB 779 would enhance consumer protection by properly identifying the entity responsible for the data breach, require better data protection by retailers and allow for reimbursement of relevant costs to credit unions and community banks stemming from the data breach.

AB 1298 – Omnibus Privacy Protection – AB 1298 would protect consumers’ medical records by extending the state’s existing medical privacy laws to the emerging electronic medical records industry. AB 1298 also requires businesses and state agencies that release a consumer’s medical information or health insurance information to an unauthorized person to notify the consumer of that data breach.

If PCI requirements are recalled or softened, it is likely that the Feds would be pressed to finally take action - and that would make more of an impact (good and bad).

Sorry to be blunt - but NRF Chief Information Officer David Hogan should tell his constituents to suck it up and work to improve their systems, and stop whining!