[Dataloss] CC companies not disclosing actions against PCI DSS violators

B.K. DeLong bkdelong at pobox.com
Thu Mar 29 14:48:38 UTC 2007 

A bit of a rant follows....

I don't know about anyone else on this list but I've been talking to
many, many organizations who don't see the risk of non-compliance with
PCI due to action being taken.

Except action is being taken - large fines are being levied and, in
some cases, companies ARE losing processing privileges. The problem is
that because the relationship between the credit card companies,
processors and merchants are private contracts....there is no reason
for the companies to disclose actions taken and obviously there are no
laws stating disclosure of action being disclosed.

I'm wondering if any of the state data breach reporting laws have
tried or do require mention as to whether a credit card company took
action when credit card information was lost in a breach. Come to
think of it, does the information protected under PCI DSS and Data
breach laws overlap?

Vendors - you want people to take PCI more seriously? Push for even a
generic disclosure - "there have been 200 fines in the past two
years"; "20 companies have been fined this quarter totaling $20M in
fines"; 15 companies lost processing privileges for 30 days to 6 mo
with 5 of them being Fortune 500" etc (or whatever)

Reporters - while covering all these data breaches, press the
companies where CC info was involved in the breach as to whether
action was taken by their credit card company as required by the PCI
DSS.

Everyone else - has anyone seen data about a breach involving credit
cards where the price of goods may have gone up to cover an
undisclosed fine? Or where the company had a "glitch" in processing a
credit card for a period of time.

What about states without breach disclosure laws? From an information
security perspective, my senior management isn't going to deign
complying with PCI DSS if all they have to do is pay a fine or deal
with a short processing restriction period (which can be explained as
technical difficulties), if there's no chance of the bigger, more
detrimental effect of public shame and loss of reputation.

-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

More information about the Dataloss mailing list