Thursday, March 22, 2007

PCI enforcement is about money

There's been a lot of PCI chatter going on the blogosphere, and having followed the standard for years now, I figured I'd toss in my .02c via SC Mag.

Firms seeking PCI compliance face dilemma
"Like the laws of the land, the impact of industry regulation is dictated by the capability to enforce regulatory law. Manpower and funding are required. Without resources available, laws and regulations don’t matter much. In the U.S., our roadways are maintained and kept safe, marked with street signs, lined with guardrails and patrolled by law enforcement with funds collected from drivers’ license and vehicle registration fees. The cost of enforcement is what drives adoption and someone has to cough up the cash. The question for PCI-DSS is: who?"

2 comments:

Mike said...

In your SC article you mentioned "Up until 2006, validation of PCI-DSS compliance only required quarterly network vulnerability scanning, a service supplied by approximately 100 certified vendors."

This is not the case. In fact Level 1 merchants were required to have a vulnerability scan and on-site assessment as far back as 2004. What a merchant requires is based on their Level designation, which is defined by their acquirer or card association.

Jeremiah Grossman said...

Hey Mike, actually thats not how I meant that to read, but I can see how it would be confusing. I meant prior to 2006, they only had to scan for "network" layer vulnerabilities. Later, PCI included the need to scan "custom web applications" for things lists on the OWASP Top Ten.

Your remaining statements is my understanding as well.