Comments on: Risk and PCI-DSS http://risktical.com/2008/12/17/risk-and-pci-dss/ Assessing, Articulating & Quantifying Information Security Risk Fri, 04 Jun 2010 19:07:42 +0000 hourly 1 http://wordpress.com/ By: Jack http://risktical.com/2008/12/17/risk-and-pci-dss/#comment-161 Jack Tue, 23 Dec 2008 12:42:43 +0000 http://risktical.com/?p=132#comment-161 Chris, You mention "showing due care" to customers, etc., but I would submit that PCI as "due care" is a bit of a Potemkin Village -- i.e., the appearance of due care, but without substance. This isn't completely true, of course, as PCI compliance does reflect an attempt at due diligence. Actual due care would be better reflected in being able to prioritize risk issues effectively (which PCI absolutely fails on) and cost-effective control selection (which PCI doesn't address). Thanks, Jack Chris,

You mention “showing due care” to customers, etc., but I would submit that PCI as “due care” is a bit of a Potemkin Village — i.e., the appearance of due care, but without substance. This isn’t completely true, of course, as PCI compliance does reflect an attempt at due diligence. Actual due care would be better reflected in being able to prioritize risk issues effectively (which PCI absolutely fails on) and cost-effective control selection (which PCI doesn’t address).

Thanks,
Jack

]]> By: Chris Hayes http://risktical.com/2008/12/17/risk-and-pci-dss/#comment-160 Chris Hayes Sun, 21 Dec 2008 20:58:05 +0000 http://risktical.com/?p=132#comment-160 @Travis – Right, wrong or indifferent – PCI-DSS is quickly - or already is in certain circles - becoming the "standard”. There is no reason not to presume that other regulatory/oversight bodies - whether government or private – will not adopt PCI-DSS or the like. I have found this to be a great “contributing factor” in regards to explaining the exposure of not being complaint over the long run to business decision makers. To be honest - a lot of the standards are common sense and overlap with with what FRC auditors are looking for, as well as Internal Audit groups for organizations that are large enough to have them. Thanks for commenting as well as reading my blog! Happy Holidays! @Travis – Right, wrong or indifferent – PCI-DSS is quickly – or already is in certain circles – becoming the “standard”. There is no reason not to presume that other regulatory/oversight bodies – whether government or private – will not adopt PCI-DSS or the like. I have found this to be a great “contributing factor” in regards to explaining the exposure of not being complaint over the long run to business decision makers. To be honest – a lot of the standards are common sense and overlap with with what FRC auditors are looking for, as well as Internal Audit groups for organizations that are large enough to have them.

Thanks for commenting as well as reading my blog! Happy Holidays!

]]> By: Travis http://risktical.com/2008/12/17/risk-and-pci-dss/#comment-159 Travis Fri, 19 Dec 2008 22:33:43 +0000 http://risktical.com/?p=132#comment-159 The problem with comparing risk to compliance in dollar values is taking into account the fact of a data breach. If a company's data is lost, there is the cost of damaging the company's public image. Which in the long run can be much more harmful, especially in today's economy where consumers are wanting to stretch their dollars further. What a company needs is a solution which is more cost effective to them and can do more then just get them PCI complaint, but get them closer to being compliant with other regulations. The problem with comparing risk to compliance in dollar values is taking into account the fact of a data breach. If a company’s data is lost, there is the cost of damaging the company’s public image. Which in the long run can be much more harmful, especially in today’s economy where consumers are wanting to stretch their dollars further. What a company needs is a solution which is more cost effective to them and can do more then just get them PCI complaint, but get them closer to being compliant with other regulations.

]]>