Looking at the Standard

By Ericka Chickowski  |  Posted 2008-03-28 Email Print this article Print
 
 
 
 
 
 
 

As details trickle out about New England’s Hannaford Bros. grocery chain’s data exposure of 4.2 million customer records, questions are swirling about the implications affecting a merchant that has already been certified compliant with PCI security standards. Will security assessors be found liable?

 

Looking At The Standard
The Hannaford incident has also spurred questions about the PCI standards themselves, but most security experts agree that beyond a few tweaks the standard is actually pretty decent.

It is a matter of getting organizations to comply in good faith rather than simply chasing compliance for the sake of the certification.

“There's still the loophole around compensating controls which you can drive a truck through and things aren't specified that well, but PCI is better than some of the other standards that are out there,” said Pinkett. “Like any system, if you want to be responsible you can make really good use of it and it helps you have a checklist and helps you communicate to management the importance of the budget that needs to be applied to security programs. Or if you want to game the system, you can game the system so that you can get a checkmark and do as little as possible for that."

Public relations representatives for the PCI Security Council stated that it is currently waiting for details about the Hannaford breach before commenting on how it will affect the council’s vision of the standard.

Litan of Gartner believes it might stimulate some changes, but that an overhaul isn’t necessary.

“I think that the standard is adequate,” Litan said. “I think that what should happen is that maybe the PCI Security Council will refine section 11 of the standard, which talks about regularly testing the security systems and processes, to be more specific, give more guidance and train the assessors on what to look for because right now it is a little general. But you don’t want them to give too much prescription.”



<1234
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

Manage your Newsletters: Login   Register My Newsletters