The Agency Insider with Linda McGlasson

The 'P' in PCI Should Stand for People

The 'P' in PCI Should Stand for People

I've been listening to a lot of different perspectives at the PCI Security Standards Council community meeting this week. PCI experts, security experts, vendors, analysts and payment card industry leaders - all of them talking about protecting card data, securing the networks that carry the card data, and how technology is helping answer the growing list of security requirements, guidance and changes to the PCI data security standard.

There is never any mention of why they're doing all of this, or who ultimately is the biggest beneficiary. Who will benefit from a stronger payment process that protects card data? The obvious answer is: Everyone who has anything to do with handling card data, but especially the consumer who holds the card.

The card data breaches of retailers, payment processors and businesses have left many consumers shaking their heads, wondering why they don't just go back to paying cash. In listening to everyone speak here this week, I've not heard anyone mention the needs of the customer, not even in passing.

It's time to put the P back into PCI's focus -- the P standing for people, not payment. As one attendee noted to me about the credit cards in his wallet, "What I want to know is will there be a solution, or combination of them, that I can know is going to protect my cards and ultimately my credit ratings?"

The emerging technologies that can step up to offer better, faster, stronger ways to protect card data throughout the payment process are laudable, positive and promising. Transparency of all this for the customer and the realization why we're all doing this are important points to remember, too.

Everyone should put themselves in the shoes of an average cardholder who one day opens a statement only to find that an account has been compromised, and thousands of dollars of fraudulent charges have been made with the card. I hear from people to whom this has happened, and it is a truly bad experience.

Putting the P - people -- back into PCI's focus also will take the form of involving more constituents in the protection process, doing the basic things that stop the bad guys from getting into computer networks. I heard yesterday from Chris Novak of the Verizon Business Investigative Response Team that more than 80 percent of all breaches would have been spotted by the business had they just looked with a closer, more discerning eye at their log files. He suggests something as basic as log file monitoring on a regular, (think: daily) basis is a great place to start beating the bad guys.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.