> Jeff Simmons wrote:

> It wouldn't surprise me if there's been some blowback from the adoption of
> PCI-DSS (Payment Card Industry Data Security Standards). As someone who
> has
> had to help several small to medium size businesses comply with these
> 'voluntary' standards, the irony of the fact that the big banks that require
> them often aren't in compliance themselves hasn't escaped my notice.

I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It isn't 
usually enforced by big banks except insofar as they are liable for PCI-DSS 
compliance when outsourcing to or partnering with other companies. So they may 
be forcing it on the SMBs you've worked with because they're liable in some way.

PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the payment 
card security standards committee) and we wrote an open letter back in 2005 to 
Visa and Mastercard asking them not to set new, separate standards for the 
financial sector but to work from within X9F. They ignored us. Even though you 
clearly indicate that they aren't truly voluntary via your use of quotes, when 
the PCI group (VISA et al.) can unilaterally level huge fines and/or penalties 
for non-compliance they really are compulsory.

Luckily, PCI-DSS compliance != security. Or is that unluckily because of how 
much money is wasted complying that could be better spent securing.

Eric Lengvenis
InfoSec Arch

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to