Texas passes a bill
So it seems that alot of the Accessors are excited about the fact that compulsory compliance is being considered in Texas. For those of you that havent heard, the house of representatives in Texas have unanimously passed a measure that would require PCI Compliance if you do business with the state. Basically the bill states:
"A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards."
Companies in violation of PCI rules can be fined and even lose the privilege of accepting payment card transactions.
My Thoughts
My thoughts on this are quite conflicted.
On one hand
As a PCI level one assessor and QSA - Tevora is going to make a whole lot more money, and get busier than the insanely busy we are right now.
On the other hand I am kind of insulted. How is the state going to tell you that you cant accept credit cards unless get PCI compliant- oh and do it now. Dont get me wrong, I love PCI but PCI is not perfect, and its definatly not easy. I would even go so far as to say its not right for every business (blasphemy!).
The dirty little secret about PCI
For one thing, not every business is built the same and PCI does not offer a risk based controls assessment of compliance. Its a one size fits all group of "security best practice" guidelines that tries to be everything to everyone.
Currently the program can accuratly boast that not one "PCI compliant" merchant or service provider has suffered a breach. The dirty little secret is that breaches do happen and they happen to companies that pass PCI compliancy. But since the standard is so comprehensive and home to alot of manual processes that could easily be overlooked, every company that is breached and investigated has been found to be non PCI compliant at the time of the breach. (Yup, thats right: you didn't do "11.2.3.iii section 4" on the day of the breach. You are not PCI compliant.)
But thats not the point. My problem is not PCI. PCI is a great standard. Its bettor than anything else currently out there. Alot of things in PCI make a great deal of sense.
Is regulation the answer?
My problem is not PCI, my problem is regulation. I have a problem with trying to legislate compliance effort.
The whole reason that the card companies adopted PCI was to get in front of the data breaches such that the industry doesn't become regulated. Free enterprise and competition is healthy in our country and every time we regulate it, we ultimatly end up hurting the consumer in the long run. Self regulation has been proven time and time again. I dont think that creating some arbitrary threat is going to solve anything.
People forget that the card industry is a business like anything else. If it makes fiscal sense for companies to comply with PCI then they will do it. Why? To make a profit of course. The profit motive is the greatest motive a capatilist society can instill on its people.
Haven't we learned from Sarbanes Oxley? Come on, was it really worth it? Did the problems of enron and worldcom go away because we jammed Sarbox down everyone throats? If it did then why do we have options backdating scandals coming out of our ears? Werent those exactly the kind of internal controls that Sarbox was supposed to oversee?
Let it go
While I think the House Bill is a good political stunt and is giving the people what they want to hear after the recent data security breaches, I really hope that the State Senate in Texas doesnt take the bait on this. PCI is a great standard, and I am more than happy to help my clients through it; but the choice to become compliant and at what pace has to be between the merchants and the aquirers.
If the acquirer is willing to accept the risk, and the merchant is prudent, I think measures can and will be taken to protect customer identity information without legislating it.
Then we as consultants are able to work with our clients in doing it right, why? because its the right thing to do and its going to save them money and reduce fraud.
Forcing the issue down every merchants throat will only make PCI compliance a nuciance and ultimatly silly like HIPAA. (oh yes, HIPAA is very silly).
- Ray Zadjmool