Jim the PCI DSS Credit Card Payment Standard applies to all companies that process credit cards. This applies to credit cards used in online sales, at point of sales systems in shops or indeed over the phone or via fax machine. So it is important to note that it is not confined to just ecommerce companies.

It is an important standard as it proscribes a minimum set of requirements regarding policies, procedures and technology that must be in place for companies that process credit card details. The standard is an important one as it provides good details on how to secure a network and systems in line with recognised industry best standards. But we should remember that it is the minimum baseline a company should have and by its nature will not gaurantee 100% security of the data.

The standard is audited and managed by the credit card industry. This in my mind is one of the fundamental weaknesses of the standard as the credit card companies may not be keen to fine their own customers.

Another issue is the low rate of takeup against the standard. There are still many companies, both here in Ireland and abroad, that are not yet compliant. Indeed through my work a number of companies I have dealt with who should be compliant with the standard are not even aware of it.

Unfortunately PCI DSS do not have a badge or label that we as a consumer can see whether or not the company we are dealing with complies with the standard. This again is another weakness I see in it.

PCI DSS while a good standard is also similar to our Data Protection Act in a lot of ways. They both dictate that companies should be taken appropriate measures to protect the data they hold on their customers, PCI DSS for credit card data and the Data Protection Act for all personal data. The problem we face in Ireland is that without breach disclosure laws in place there is no obligation on any organisation to notify their clients should the security controls they have put in place fail.

This to my mind is a fundamental weakness. We entrust our personal, financial and medical details to many different organisations. Those organisations need to realise they are guardians of this information and they must ensure they keep the data entrusted to them secure. Focusing on meeting the bare requirements to meet an audit does not necessarily achieve that goal.

Mandatory breach disclosure laws will help close that gap and ensure that if our personal data is accessed by unauthorised persons then at least we have the information to take whatever steps we deem necessary to protect ourselves and our families. It can also help other companies as they can learn from the mistakes of those companies that suffer a breach and ensure that they address whatever flaws or weaknesses that caused the breach in the affected companies.

Remember to look at this earlier post http://www.digitalrights.ie/2008/08/11/even-more-lessons-from-laptop-loss/ to get details on how you can add your voice to the call for the introduction of mandatory breach disclosure laws.