Will You Comply or Just Check the Box?

There are a couple interesting PCI developments coming over the next rc year

Oct. 22, 2009 06:45 PM

Some of both, apparently. A recent Ponemon Institute PCI-DSS Compliance survey revealed that 71% of companies actually admitted that data security is not a top priority and 55% say they are only protecting credit card data and not other sensitive information like bank account info, social security numbers and drivers license data.

Additional statistics show that a miniscule 28% of smaller companies (501-1000 employees) are PCI-DSS compliant and around 70% of large companies (>75,000 employees) say they meet the Regulations. The one that jumps out for me is the small merchant stat. I understand that cost is a large factor for smaller companies to be PCI compliant but just imagine how many companies and industries that fall into the 501-1000 employee category.

And that doesn’t count all the even smaller ‘Family Owned’ restaurants, auto repair shops or any other service where you say, ‘I like them because they are local or family owned.’ Unfortunately, those friendly establishments might not be a BFF with your sensitive data. I’m not saying to avoid your favorite Chinese take-out but also be aware that the numbers are against you.

There are a couple interesting PCI developments coming over the next year. As I mentioned in Regulation Roundup back in February, the PCI deadline for unattended, Point-of-Sale PIN entry devices is July 10, 2010.

These are those standalone ‘Pay for your parking’ machines, gas station terminals, ticket kiosks, vending machines and any other terminal where a PIN might be entered. First, July 1, 2009, was the deadline for Triple-DES to be mandated for all debit transaction processing. And next July, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES. I imagine there will be another mad dash next spring for merchants to get in compliance.

The other PCI piece is come summer 2010, PCI will be making some regulatory changes to update PCI standards including 3rd party audits (Level II), tokens, end-to-end encryption and potentially Virtualization Security. Some of these changes should help in protecting our data.

And if you think skirting regulations might be a money saver, take a look at this article where the FTC has recently fined ChoicePoint for not adhering to the agreement made in 2006 for the huge 2005 data breach. They just got whacked with another $275,000 for removing a database security monitoring tool.

As I finish up the 18th entry of 26 Short Topics I’ve noticed Regulatory osha Compliance, especially PCI, comes up frequently. Maybe it’s the constant surveys, startling numbers, never ending breaches and media reports or maybe, it’s that PCI-DSS, while not perfect, affects almost all of us and it’s like we’re in it together. You might not know, get along with or like your neighbor but if you shop at the same store and they are breached, suddenly you’re both in the same boat – ‘Hey, that happened to me too!’ It’s one of those things that we all should care about.

#18 out of 26 Short Topics about Security
previous stories: 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

UPDATE - Added 10.22.09: ChoicePoint would like to clarify the characterization of the FTC situation and I'm happy to include this for accuracy:

"Your piece titled "Will you Comply or Just Check the Box" touches on recent ChoicePoint/FTC news and the company would like to request a clarification.

1. In regards to your report that a "fine" was levied by the FTC
a. While the Commission has authority to seek a civil penalty, http://ftc.gov/ogc/brfovrvw.shtm it expressly did not do so in this case, as the language of the Order and the amount of monetary relief indicate. The Supplemental Stipulated Order itself in Part I provides for "monetary relief...to be used for equitable relief, including, but not limited to consumer redress and any attendant expenses...." The FTC incorrectly characterized the monetary payment as a "penalty" in its initial press
release and has since revised its press release to correct this point. The payment was made pursuant to the courts equitable authority to address compliance with its orders. The payment is not punitive in nature and neither the Order nor the FTC press release (as modified) characterizes the payment as a fine or a penalty.

Thank you so much for you time and attention. We would very much appreciate your correction of the record."

- Not a problem, thanks for the update and appreciate the clarification. ps

Read the original blog entry...

Published Oct. 22, 2009— Reads 658
Copyright © 2009 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

About Peter Silva
Peter Silva covers security for F5’s Technical Marketing Team. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Bringing the slightly theatrical and fairly technical together, he covers training, writing, speaking, along with overall product direction and evangelism for F5’s security line. Prior to joining F5, he was the Business Development Manager with Pacific Wireless Communications. He’s also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others. He earned his B.S. from Marquette University, and is a certified instructor in the Wisconsin System of Vocational, Technical & Adult Education.

Web 2.0 Latest News

Will Your Business Survive the Communications Revolution?

By John Savageau

We stand at a transition point in business. As the global economy starts to work its way out of recession CEOs and management teams around the world are beginning to plan for growth. But they won’t do that by simply taking back into their businesses the bottom line costs they just spen...

Virtual Infrastructure in Cloud Computing Just Passes the Buck

By Lori MacVittie

There are many good reasons to go down the virtual infrastructure road. The illusion that it’s cheaper than dedicated hardware solutions is not one of them.

I was reading an

Smartphone Market Trends and Analysis

By Kevin Benedict

Wall Street Journal reported in Monday's Edition (November 30, 2009) that Dell, Acer, Asustek Computer and HP have all launched handsets to diversify their product offerings. What is my analysis? Lenovo sold their handset unit in 2008. Less than 2 years later they buy it back as they b...

It's Maybe Time to Consider Crowdsourcing

By David Strom

We all know about outsourcing, the ability to farm out work to people, often overseas, that will work for less, and sometimes for a lot less. But a not-so-new trend is changing the way that outsourcing happens, called crowdsourcing. The idea is to take a job and divide it into small...

A Doctrine for Change - Lawrence Lessig Again

By Bryan O'Rourke

I was again reading and reviewing Lawrence Lessig's work tonight. The man is so very articulate and his observations so compelling. If you haven't become a student of his work, please take my advice and give it a try here.

At the 200...