Resources for Federal Financial Institutions Examination Council (FFIEC)

PCI Pain: Is it time for an overhaul?

searchsecurity.techtarget.com.au

PCI is everywhere. You basically need to bring an umbrella with you to make sure PCI doesn't fall on your head. Of course, I'm being a bit tongue-in-cheek, but the Payment Card Industry Data Security Standard (PCI DSS) is the biggest thing to hit security people since Sarbanes-Oxley did a dance on our heads a few years ago.

To be clear, the intent of PCI -- which is to protect private payment information while reducing fraud and providing more confidence in the global credit issuance business -- is meant to be positive. But now that we've had some time to let the original standard and a first revision (PCI DSS 1.1 hit in September 2006) sink in, it's questionable whether PCI is even achievable and if its defences will help secure your environment.

The catalyst for this discussion was an April interview in which Phil Mellinger -- who had a hand in building the original PCI DSS specification -- was questioning whether the rules should be loosened to make PCI more "achievable", beyond the "compensating controls" loophole that was added in PCI 1.1.

View the Resource

Share or bookmarklet this web page at: