Ask the Expert

How are the PCI DSS deadline extensions affecting corporations' desire to become compliant?

How are the PCI DSS deadline extensions affecting corporations' desire to become compliant? Why do you think banks and credit card companies are issuing these extensions?

    Requires Free Membership to View

Most of the extensions issued by banks have been kept relatively hush-hush. Obviously they don't want retailers to think they can put off doing the right stuff to get compliant. To specifically answer the first part of your question, there are basically two types of companies out there: those that are trying to do the right thing for their customers by getting compliant, and those that aren't as interested because they don't think a breach will happen to them. Thus they do the bare minimum at all times, such as putting off fixing things until the auditor shows up and forces the issue. I'm not sure why any self-respecting security professional would work in an environment like this.

I'm actually OK with the former companies (that are doing their best) getting reasonable extensions and then being held accountable to make the agreed-upon progress. Getting PCI DSS compliant is a reasonably long and fairly hard struggle for a corporation that hasn't done much relative to security.

The other type of company should be drawn and quartered (and fined) and made to understand how important it is to safeguard customer data. But that is likely a losing battle.

In terms of why the banks would offer these extensions, it's a basic risk management decision. They assess the track record of the retailer and try to figure out how exposed they are to fraud. Then they decide if it's a good idea to issue the extension versus saying no and risking that the retailer will take its business elsewhere. Remember, merchant banking is a competitive business, and some banks will relax general risk standards if they think it's a good business decision.

More information:

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: