Go ahead–ask if the system is safe
Posted on | April 9, 2008 | add a comment
More from the RSA Conference Floor:
Payment Card Industry Standards Council general manager Bob Russo told me the Hannaford Brothers grocery store chain was compliant with the Payment Card Industry Digital Security Standards, or PCI-DSS, in February 2008. But Russo maintains he doesn’t know if that was true when hackers a few weeks later stole 4.5 million customer records from 300 stores. PCI-DSS assessments are done annually, he said. Examiners will try to determine if the assessor missed something; if the company let down its guard; or if “anything in the standard needs to be fixed,†Russo said.
Russo said his wife, a non-techie alarmed by news reports of data thefts, recently asked a store clerk if the credit card transaction she was about to make was safe, and the clerk was at a loss to answer. I told Russo his wife was on the right track: if millions of consumers followed her example — and demand answers about how carefully our data is being handled– perhaps banks, merchants and tech companies would give more weight to the risk consumers are being exposed to. Perhaps merchants would move quicker to adopt not just PCI-DSS, but also the council’s recommended best practices for handling PIN data and using security-hardened payments software applications.