Home > Uncategorized > PCI-DSS Compliance: Part 6

PCI-DSS Compliance: Part 6

OK, OK, this is it in this series, I promise! But I have to say just one more thing concerning the PCI-DSS standard. We all know that many PCI-DSS merchants do as little as they can to be ruled compliant with this standard, complaining all the while. And we also know that companies such as TJX have suffered major data security breaches involving credit card data, yet after agreeing to make major changes in its security controls, instead went back to the way things were done before the breach. In the case of TJX, an internal whistleblower (who was, not surprisingly, was fired) told the world the truth about TJX saying one thing but doing another. But Heartland Payment Systems is a very notable exception. Heartland’s CEO, Robert Carr, woke up to what was really happening there after the massive data security breach, and became determined to do something decisive about the problem. He is not only putting end-to-end encryption in place at Heartland, but is spearheading an effort to create a standard for encryption of data in motion across the entire commercial sector.

Carr’s initiatives are very exemplary, but there is something about this person that from an information security perspective is even better. He is serving as a positive role model among executive management. Let’s face it—way too many executive managers care very little about information security. Assuming that “this could never happen to me,” they view information security as a waste of money. Many of them are extremely resentful of having to comply with the PCI-DSS standard; many are not shy in vocalizing their complaints. Now along comes Carr. He has become a very popular speaker, and in his talks he reportedly sincerely apologizes for what happened at Heartland Payment Systems. He must be extremely convincing, because individuals I know who have heard him speak have told me that at times he appears to almost have tears in his eyes. Then instead of whining about the PCI-DSS standard, Carr has actually gone on record as saying that this standard is too lax and that thus it needs to mandate stronger controls. To put this another way, while other executive managers murmur that it is too costly to comply with the PCI-DSS standard, Carr is saying “it’s not enough—let’s go farther with this standard to the point that it results in a more suitable level of security.”

Hopefully, executive managers around the world will notice and heed what Carr has been saying. Instead of being arrogant or indifferent after Heartland’s data security breach, he is contrite, humble and concerned. Before this breach, Carr thought that such an incident could not occur at his company. Now he knows better. Additionally, information security issues at Heartland have now clearly been raised to the level of executive management.

I attend more than my fair share of conferences and presentations at professional association meetings. I often hear information security managers share something—a success in implementing some new technology, a new way of enforcing compliance with policy and standards, and the like. This is all fine and dandy, and I wouldn’t mind hearing more talks such as these in the future. But conference organizers and others should “mix it up” more by bringing in Robert Carr and others like him. In many ways, they are worth more to information security than the most accomplished of all information security practitioners because as executive management goes, so does an information security practice. So keep it up, Robert—you are truly a star!

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.