Seeing Through the PCI Smokescreen

Oct 09 2007

I wrote the other day about what a big fan I am of PCI, and why I’m happy merchants are rebelling against it.

Although this is a win-win of sorts, I nevertheless can’t help but see this playing out in a way that gives security a bad rap:

  1. We build and start using pieces of technology under one set of assumptions. “Let’s build us some networks and databases to share information!”
  2. Later, we start using that technology more and more under an expanded or different set of assumptions. This is usually a long, iterative process. Eventually, it’s “Let’s transmit credit cards over our networks and store them our databases!”
  3. Much later, we recognize that some of our incremental uses have long since introduced serious risks. “Oops!”
  4. We ignore those risks as long as we can. “These are not the security ‘droids you’re looking for!”
  5. Once our hand is forced — “PCI fines are how big?” — we invest enormous sums retooling technology we created way back in step 1 to support all the new cases we garnered during steps 2-4.

Often step 5 is the right way to go. Business pragmatism has a way of dictating this, as it did the whole process in fact, and generally speaking I don’t have a problem with it. So long as we’re honest about it.

But smokescreens aren’t honest. This is where the credit card companies have failed us. Had they been honest with us a few years ago, they would have mandated a five-year program to wean the industry off of legacy credit card processing and on to SET.

The reason they didn’t, of course, is obvious. With SET, who inherits the burden of liability that results from card theft?

But despair not, merchants. Even without SET there are still plenty of good ways to offload liability from credit card theft. It’ll take strength in numbers to convince the card companies to cooperate though. The technology itself isn’t as revolutionary as you might think, as I can attest from championing preparations for it at Amazon.com.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon

Related posts:

  1. No Hacking Required
  2. 9 year prison sentence for credit card theft
  3. The Politics of PCI/DSS
  4. Merchants Launch Overdue PCI Rebellion
  5. US Bill To Prevent Consumers From Protecting Themselves From Identity Theft

Posted by Larry J. Hughes, Jr. on Tuesday, October 9th, 2007, at 5:29 pm, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.