I'm not sure I agree with everything that is said, but I recommend you read the article in ComputerWorld (also in CSO) where Heartland Payment Systems CEO Robert Carr talks about their massive data breach.
One good point he does make (which means I agree with him...) is when he says "If a smart person's job is to define a set of rules to keep merchants from being breached and they have to start somewhere, what they come up with is going to look something like PCI. There has to be a lowest-common-denominator set of rules. PCI could be improved, but the standard is fine."
Read the article, and blame who you want to blame or nobody. But keep in mind a few things. This was a processor. They have to retain cardholder data. You are a merchant. You rarely if ever need to retain the data. So go back and ask yourself if keeping cardholder data is really worth the risk and lost sleep.
UPDATE: For a response to Mr. Carr's comments, you have to see this post by Rich Mogull at Securosis. I could not say it better.
How to Lose a Fortune with Just One Bad Click
59 minutes ago
The best quote to remember from the Heartland CEO's interview - 'PCI compliance doesn't mean secure.'
ReplyDelete