« Built-in not bolt-on | Main | Oh those spelling errors »
April 26, 2005
The effect of legislation
The register has an article which mentions the approaching deadline (June 30th) for merchants to comply with the PCI Data Security Standard for credit cards, which unifies requirements from VISA, MasterCard, Discover and American Express. The deadline has already passed for the really large merchants, those who have over 6 million transactions a year - that was September 30th, 2004. It generated a lot of pressure on larger companies as they rushed to comply - we could see it clearly in our customer base at Sana Security - and this deadline for smaller merchants is having a similar effect.
But I'm not sure how much these requirements help. Some of them are too technologically specific, for example, "Install and maintain a firewall configuration to protect data", and some seem far too vague, such as "Develop and maintain secure systems and applications". I think the merchants should be left to protect their networks as they see fit, without having to comply with requirements that may not make sense in any given environment, or that may not represent the most effective use of security dollars. For example, the Jericho Forum is promoting "deperimeterisation", and the requirement for firewalls goes against their thesis that we need to abandon the idea of a secure perimeter.
Those who drew up the PCI standard should learn from the lessons of the California disclosure act (SB 1386), which simply requires companies to inform customers when their personal information has been exposed. 1386 has resulted in many hacking incidents becoming news lately, including Polo Ralph Lauren, LexisNexis, DSW, and PayMaxx. (For a full list of recent publically announced data breaches see here). The effect of public knowledge of these incidents upon a company can be profound, leading to loss of confidence and customers. In fact, analysis has shown that publically known hacking incidents can cause a significant drop in stock price for the targeted company.
1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they are restricted to using specific technologies and practices, they won't be able to take advantage of new developments.
So, having said all that, my suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure. And to offset the impact of losses, they should continue to incorporate the notion of quarterly scans by independent assessors, which is one of the few good things about the PCI Data Security Standard.
Comments
I was talking to a guy who worked for a gateway to visanet (I think that that is what the network is called...). He said that the reason why many of the requirements are what they are, especially for low transaction volume merchants, is that merchants wanted a checklist for what to do to avoid liability from the Credit Card companies. That is why there is a lot of procedural stuff in the spec (firewall, audits for the big guys, etc.)
Posted by: nordsieck at May 7, 2005 01:34 PM