The need to get serious about PCI DSS

It seem like every second day we hear about another security breach or data compromise involving usually tens of thousands of card numbers and often additional and even more sensitive information which if used in conjunction with the card number can result in serious financial loss and reputational damage to the compromised party.

At the same time, many in our industry complain about the rigorous demands of the Payment Card Industry Data Security Standard, the cost which it imposes on the industry and the fact that investment in complying only hurts "the bottom line". These attitudes tend also to prevail in organisations where IT Systems and Infrastructure are the cinderella of the organisation and are seen almost as a necessary evil. Whatever chance you might have of making IT investment for a new customer or service forget about asking for IT spend to improve security.

These attitudes are about as short sighted as a business which left cash takings lying on the shop counter or a warehouse full of stock unsecured and unmonitored.

Yet there are lots of shopping malls right across Europe where stores have wireless networks deployed and totally unsecured. Often these wireless services reside in the same network as POS concentrators and transaction servers. These stores will tell you how committed they are to security but they effectively have a double lock on the front door and have left the back door wide open.

It is past time for the Industry and the authorities both national and European to get serious about this. If holders of personal data don't care about the possibility of scheme fines, loss of card acquiring facilities and perhaps most importantly loss of reputation, they must be made care about the damage they are doing to the payments industry which must continue to flourish to displace expensive cash and cheque alternatives. They must more importantly be forced to care about the distress, misery and inconvenience they cause their customers who trust them to secure their data.

The card schemes and the PCI Security Standards Council who conceived the standard could give a lead by issuing a formal mark of approval to those who demonstrate compliance.