Tuesday, April 24

Embracing PCI for no other reason than...
By Pete McLaughlin

One of my least favorite terms in the business world today is that all too tenuous ‘industry best practices for security.’ What does that really mean? Does ‘industry’ mean the ‘security industry’ or does it mean, for example, the ‘financial services industry?’ So let’s say it refers to the ‘financial services industry.’ Let’s go one step beyond that, does it mean the ‘regional bank industry’ or the ‘mutual fund industry’ or the ‘on-line financial search engine industry?’

It’s business speak, it’s flagrantly overused, and I have grown to despise it. We have let it slip into our everyday vernacular without protest or guilt. And the most disgusting part of it … even though I am far from a fan of the term, I use it. What a hypocrite...

So, I embrace the momentum that the Payment Card Industry standard is gaining. It provides structure to that nebulous term ‘industry standard’ because it does two key things:

- It provides detailed information about what exactly a company needs to do to comply with the standard; and
- It clearly states which companies need to comply (any organization storing, processing, or transmitting a Primary Account Number).

So I say embrace standards such as this one, particularly one backed by competitors that have banded together to solve a problem for an enormous consumer-base. Sure, it has it weaknesses and cynics can snarf at it. But, at the end of the day, it has merit if for no other reason than VISA, American Express, Discover, and MasterCard say so. And if it provides us with something more tangible than ‘industry best practices’ to benchmark our environments against, then I say AMEN brother.

No comments: