« Logging Glossary: Alert | Main | Keep Those Logs. But Keep Them Right... »

PCI Takes A Twist

Computerworld reports that the State of Texas is mulling a bill that would make PCI requirements law - and that retailers that accept credit cards would be financially liable for data breach costs.

The state's House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise. It also provides a safe harbor against such liability for companies who are PCI compliant and get breached. The proposal needs to win approval in the state Senate before it becomes law.

Texas is not the only state eyeing such a bill. In Massachusetts, legislation proposed earlier this year by state Rep. Michael Costello would hold retailers financially liable to banks for the costs of a credit card security breach.

Gartner's Avivah Litan comes out swinging though suggesting that banks are shifting too much liability to the merchants. "In every single instance, the retailer already has to pay for the direct costs of the fraud. And now banks are trying to shift the customer service costs to the retailer as well," she said. "Retailers are being pinned against the wall, frankly," Litan said. "If laws like this take affect, it could have serious consequences on a retailer's balance sheets."

While that might be the case the reality is that the retailer (after the consumer) has the most loose - especially reputationally. What shouldn't be confused is the cost of doing business versus the cost of implementing industry mandates. Effective protection of customer data should be viewed as a cost of doing business. PCI is forcing an entire industry to step-up to that responsibility.

I speak to plenty of retailers. Many are already there. Some of them have very small and resourceful IT departments who have automated many of the processes, reports, sampling and alerts that surround PCI. What always amazes me is the number of retailers, some large, that still lack by even basic standards, strong security processes. Who should bear their costs - the banks, or ultimately the consumer? We're here to help.

Posted May 16, 2007 in Compliance | Permalink

Visit loglogic.com

Subscribe to this blog’s feed

• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU