> Jeff Simmons wrote: > It wouldn't surprise me if there's been some blowback from the adoption of > PCI-DSS (Payment Card Industry Data Security Standards). As someone who > has > had to help several small to medium size businesses comply with these > 'voluntary' standards, the irony of the fact that the big banks that require > them often aren't in compliance themselves hasn't escaped my notice.
I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It isn't usually enforced by big banks except insofar as they are liable for PCI-DSS compliance when outsourcing to or partnering with other companies. So they may be forcing it on the SMBs you've worked with because they're liable in some way. PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the payment card security standards committee) and we wrote an open letter back in 2005 to Visa and Mastercard asking them not to set new, separate standards for the financial sector but to work from within X9F. They ignored us. Even though you clearly indicate that they aren't truly voluntary via your use of quotes, when the PCI group (VISA et al.) can unilaterally level huge fines and/or penalties for non-compliance they really are compulsory. Luckily, PCI-DSS compliance != security. Or is that unluckily because of how much money is wasted complying that could be better spent securing. Eric Lengvenis InfoSec Arch --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
