About

Categories

Recent Posts

Archives

Subscribe to this blog's feed

Blogs

Organizations

Other Important Sites

Publications

RSS Feed

Blog powered by TypePad
Subscribe to my Podcast

« NIST Updates Provide Important Guidance for Email and Wireless Security | Main | Accelerating ITIL Adoption »

March 02, 2007

PCI: Enough Carrots and Sticks or No Teeth?

Thanks to Mike from pcianswers.com for his recent comments to my post on PCI penalties not being stiff enough. I am thrilled that there are finally some carrots and sticks like Mike mentions in his recent blog.

But, how much is the one-time payment in the Visa CAP program? $10,000 a month? For you and I, that's a lot of money, but, to a large company ,it may be peanuts...or at least less expensive than the cost to comply.

To me, the best enforcement is by the CONSUMER. I would like to walk into a store or shop on-line and see some kind of sign that I would trust indicating that this merchant has been validated - a "Good Houskeeping seal" of some kind.

Conversely, I would like to know if the merchant is not compliant. As a consumer, I want to be informed so that I can make a decision to shop here or not. At the end of the day, it is about protecting consumers.

Give consumers the power to decide. That's my two cents.

Speaking of carrots and sticks, news stories are starting to give us some idea what TJX may be facing in fines as a result of their data breach. According to some stories, the amount could be in the half-million dollar range. A significant fine, to be sure, but, to my point above? What is that to a company like TJX? Not sure it's still a big enough stick, given the costs of covering the fraudulent purchases and replacement of millions of cards at $30 a piece. Evan Schuman talks about the lack of teeth in PCI on eweek.com this week.

What's your opinion?

 

Posted at 08:43 AM in PCI Compliance |

Technorati Tags: , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d834520ea169e200d8351fb96c69e2

Listed below are links to weblogs that reference PCI: Enough Carrots and Sticks or No Teeth?:

Comments

Alex, good question. How about the debate that Alex and PCI Answers are having on this issue?

I would state that fines are steep for small merchants, but small for large merchants. So why should large merchants care? Check out the list:
http://pcianswers.com/2007/02/26/seek-first-to-understand-and-then-to-be-understood/

* Class action lawsuit
* Reissuance fees
* Card brand cost recovery programs for Issuers
* Credit monitoring
* Potential FTC regulation (did people forget that BJ's Wholesale club got hit with this?)
* Remediation costs

Now that those and multiply them by 40m card numbers... you can see the numbers add up.

Posted by: Mike | March 02, 2007 at 11:01 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment