Home > Uncategorized > The Growth of Importance of PCI-DSS Compliance

The Growth of Importance of PCI-DSS Compliance

This blog entry is the eighth concerning my ten predictions regarding events and trends that I have said will come to fruition in 2008. The eighth is:

8. PCI-DSS compliance will grow in focus and importance to point that it will become one of the top two or three security issues in security practices of organizations that deal with credit card information. The amount of fines for non-compliance will also proliferate greatly as an increasing number of corporations and organizations are found to be out of compliance.

Although I knew something about compliance before I came to High Tower Software, my work here has made me realize how relatively little I actually knew before. My job has necessitated that I become thoroughly acquainted with the major regulations and statutes involving information security issues. Of all the ones with which I have dealt, none has been as complex to both interpret and translate into requirements for the High Tower security event management appliance’s reporting capabilities as PCI-DSS requirements. Some PCI-DSS requirements, such as not allowing credit card information to be transmitted over networks in the clear, are straightforward. Others, such as monitoring the creation and deletion of all system-level objects, are much more difficult to interpret as well as to devise some way to demonstrate compliance with them. The fact that there are four levels of PCI-DSS compliance only complicates things more.

Complexity does not in and of itself necessarily increase the importance of an issue, however. The constantly growing importance of PCI-DSS compliance traces largely to the consequences of being caught out-of-compliance. Enforcement of PCI-DSS compliance is very similar to the way the purchase of subway tickets is handled in numerous European countries. Every subway rider is required to purchase a ticket, but instead of there being someone to check or punch tickets before the rider can enter the boarding area, each rider is allowed to go to and board a train without any check whatsoever. If someone does not buy a ticket, that person may get away with having done so (the most likely possibility). However, the subway police sometimes enter a train and check tickets. If someone is caught without a ticket, a hefty fine is levied on that person. The same is true of PCI-DSS compliance. An organization can do absolutely nothing to comply; if so, it is very likely that the organization will get away with it. If an incident occurs in which it is apparent that the organization is out of compliance, however, a variety of penalties against the organization can be assessed. One of the most austere penalties is raising the cost of each credit card transaction, something that can in the long run increase the cost of transactions by millions of dollars every year. The PCI consortium is in effect just starting to assess fines; as their mechanisms for checking for compliance become more sophisticated in time, the likelihood that more credit card-issuing organizations will be found to be out-of-compliance will in all likelihood increases. Additionally, more second- and third-time violations will be discovered, resulting in escalating amounts of fines.

Finally, PCI-DSS applies to many more organizations than originally widely believed. Even colleges and universities, which typically have many credit card transactions in connection with donations, ticket sales for cultural and athletic events, and more, are now having to devote concerted effort to achieve the necessary level of PCI-DSS compliance.

As I have said in other blog postings, compliance is becoming one of the most if not the most important areas within information security, one that generally merits board-level attention. PCI-DSS compliance is no exception, so considering this as well as the other reasons I have discussed in this posting, it is logical to predict that the importance of this type of compliance will greatly increase in the coming year.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.