by Jesse Connell
I was at lunch last week with a good friend who is the VP of Risk and a co-worker, the company’s CISO. While we were mostly catching up we did spend some time talking about PCI and reflected on some interesting examples of attacks and violations relating to PCI.
My thought was why aren’t more companies secure or compliant with this standard, not only to meet looming compliance deadlines but also for the protective benefits? According to this (slightly dated, sorry!) article.
“Visa has reported that 22 percent of Tier 1 merchants (organizations processing more than 6 million transactions per month) are PCI compliant, and 72 percent are on their way to becoming fully compliant.” 72% are NOT compliant! Earlier this year MasterCard said 20% of its top-tier merchants had not even submitted plans for compliance. Also, it is generally accepted that small-mid sized retailers in many cases are at more risk and seem to be doing less about it. While that may be due to lack of awareness (of real risks) and lack of IS maturity there are also some challenges that have to be overcome. The article references some of those challenges (legacy and proprietary software, multiple regulations, costs and lingering risks).
As often is the case it boils down to understanding risks, informing / raising awareness internally and making the best decisions for the company. Knowing the business implications and having the judgment to lead the company down the right path is paramount.
Comments