Comments on: 78% Merchants don’t know.. and institutions don’t care about PCI DSS. http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/ Card security effects everyone. I will utilize this forum to communicate the ongoing efforts to safeguard this type of data. Wed, 02 Dec 2009 20:20:35 +0000 http://wordpress.com/ hourly 1 By: Suzan http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7165 Suzan Thu, 05 Mar 2009 12:20:29 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7165 This website is Great! I will recommend you to all my friends. I found so much useful things here. Thank you.m This website is Great! I will recommend you to all my friends. I found so much useful things here. Thank you.m

]]> By: name http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7124 name Mon, 01 Sep 2008 01:40:16 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7124 Good day!, Good day!,

]]> By: Michael La Barge http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7123 Michael La Barge Sun, 10 Aug 2008 21:24:21 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7123 - In murky water the Tiger Shark is most successful. - I completely agree that many that Merchants are at risk due to their processors not properly educating them. I believe they are afraid of losing customer base if they "enforce" the PCI-DSS. Also, in another PCI related blog I read a report by Forrester Reasearch that indicated a “high end” breach cost of $305.00 total per record. I think these costs are vastly understated and here’s why: The Business side always seems to be covered in calculations, but what I seldom if ever see in the research is the personal suffering, anguish and humiliation the employees and their families who will most likely be laid off or downsized post- breach. In many cases the loss of reputation, consumer confidence and ultimately loss of business in today’s tough economy is more than enough to be viewed as a lethal injection for that organization. Although, there are many QSA Qualified Security Assessor organizations out there in the world some have been mentioned, In North America <a href="http://www.datassurant.com/" rel="nofollow">Datassurant Inc.</a> is ideally suited and is a really good choice for this type of work because and keep highly trained security professionals (many of which are certified White Hat hackers) on staff. In South America <a href="http://www.modulo.com/" rel="nofollow">Modulo</a> would be an excellent choice. What’s even more interesting, based on those numbers $100.00 vs. $90.00 it appears that Company A credit card records “street value” are more valuable to hackers then they are to Company A itself. This doesn’t seem to add up in my mind. What keeps me up at night? I wonder how many more breaches consumers will need to endure and how many lives will be ruined, how much post-breach triage we will need to perform before the Government hears the people and steps in, much in the same way as SOX? - In murky water the Tiger Shark is most successful. -

I completely agree that many that Merchants are at risk due to their processors not properly educating them. I believe they are afraid of losing customer base if they “enforce” the PCI-DSS. Also, in another PCI related blog I read a report by Forrester Reasearch that indicated a “high end” breach cost of $305.00 total per record. I think these costs are vastly understated and here’s why:

The Business side always seems to be covered in calculations, but what I seldom if ever see in the research is the personal suffering, anguish and humiliation the employees and their families who will most likely be laid off or downsized post- breach. In many cases the loss of reputation, consumer confidence and ultimately loss of business in today’s tough economy is more than enough to be viewed as a lethal injection for that organization.

Although, there are many QSA Qualified Security Assessor organizations out there in the world some have been mentioned, In North America Datassurant Inc. is ideally suited and is a really good choice for this type of work because and keep highly trained security professionals (many of which are certified White Hat hackers) on staff. In South America Modulo would be an excellent choice.

What’s even more interesting, based on those numbers $100.00 vs. $90.00 it appears that Company A credit card records “street value” are more valuable to hackers then they are to Company A itself. This doesn’t seem to add up in my mind.

What keeps me up at night? I wonder how many more breaches consumers will need to endure and how many lives will be ruined, how much post-breach triage we will need to perform before the Government hears the people and steps in, much in the same way as SOX?

]]> By: tv bracket http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7072 tv bracket Mon, 14 Apr 2008 07:14:25 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7072 Maybe the reason they don't care is because customer also don't care. Actually the customer don't know about such thing, so they don't care about it. Maybe the reason they don’t care is because customer also don’t care. Actually the customer don’t know about such thing, so they don’t care about it.

]]> By: pcidss http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7068 pcidss Fri, 28 Mar 2008 15:26:19 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7068 Tim, I think you raise a good point that merchants must be aware of what is expected of them, how they need to provide validation, and the necessity of a cognitive effort in assessing the business benefits/risks of accepting and processing credit cards. I strongly agree and encourage all businesses to evaluate they business processes and determine if outsourcing, insourcing, or finding a balance is ideal for their business. I question, however, the (beyond moral and ethical conflicts) idea of shopping for institutions that do not enforce the standards. To clarify - if a business processes credit cards they need to be compliant - the SAQ, ASV, QSA, etc... are only means of validation. Regardless of the imperative and reasons to respond to these completely, there is a stronger concern - fraud (for the business and the liable consumers). Other thoughts... counterpoints... areas where I may be misinterpreting? James Tim,

I think you raise a good point that merchants must be aware of what is expected of them, how they need to provide validation, and the necessity of a cognitive effort in assessing the business benefits/risks of accepting and processing credit cards. I strongly agree and encourage all businesses to evaluate they business processes and determine if outsourcing, insourcing, or finding a balance is ideal for their business.

I question, however, the (beyond moral and ethical conflicts) idea of shopping for institutions that do not enforce the standards. To clarify – if a business processes credit cards they need to be compliant – the SAQ, ASV, QSA, etc… are only means of validation. Regardless of the imperative and reasons to respond to these completely, there is a stronger concern – fraud (for the business and the liable consumers).

Other thoughts… counterpoints… areas where I may be misinterpreting?

James

]]> By: Tim http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7067 Tim Fri, 28 Mar 2008 13:41:00 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-7067 Merchants - please keep in mind there are 4 levels of Merchans that PCI Security Standards Council has defined based on credit card volume and, in some aspect, brick and mortar vs. online store front. Those that are Level 3 and Level 4 (the smallest merchants), are required to perform self-assessments only, and the timing of these self-assessments is based on your institution who processes your credit cards. Credit card processors have their own timetable to mandate your self reported compliance unless you have experienced a breech. If you really do not want to become compliant, you can always search for those institutions who have not yet felt the urge to force level 3 and level 4 merchants to go through these process. Merchants – please keep in mind there are 4 levels of Merchans that PCI Security Standards Council has defined based on credit card volume and, in some aspect, brick and mortar vs. online store front. Those that are Level 3 and Level 4 (the smallest merchants), are required to perform self-assessments only, and the timing of these self-assessments is based on your institution who processes your credit cards. Credit card processors have their own timetable to mandate your self reported compliance unless you have experienced a breech. If you really do not want to become compliant, you can always search for those institutions who have not yet felt the urge to force level 3 and level 4 merchants to go through these process.

]]> By: Helga http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-6910 Helga Mon, 14 Jan 2008 10:00:26 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-6910 Lucky to find you, keep on the good workk guys! Best of luck. Lucky to find you, keep on the good workk guys! Best of luck.

]]> By: Big Kid http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-6063 Big Kid Thu, 06 Dec 2007 19:24:42 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-6063 Once again confusion reaigns. BoA sent a letter to it's merchants stating that PCI DSS prohibits you from storing credit card numbers, which it (PCI) does not. You must have controls in place. An email to BoA asking for clarification was never answered. Once again confusion reaigns. BoA sent a letter to it’s merchants stating that PCI DSS prohibits you from storing credit card numbers, which it (PCI) does not. You must have controls in place. An email to BoA asking for clarification was never answered.

]]> By: Best Shopping Planet http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-3977 Best Shopping Planet Sat, 18 Aug 2007 09:33:29 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-3977 Thanks for sharing this information. Really is pack with new knowledge. Keep them coming. Thanks for sharing this information. Really is pack with new knowledge. Keep them coming.

]]> By: Adam Vitale http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-3259 Adam Vitale Fri, 20 Jul 2007 05:33:53 +0000 https://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/#comment-3259 I am part of an MBA marketing research team at Pepperdine University. We are researching PCI-DSS standards. If you have a couple of minutes we'd appreciate your help with our survey! Thanks! http://www.surveymonkey.com/s.aspx?sm=o7Ht7e8ijWSuxAlqT2oJig_3d_3d I am part of an MBA marketing research team at Pepperdine University. We are researching PCI-DSS standards. If you have a couple of minutes we’d appreciate your help with our survey!

Thanks!
http://www.surveymonkey.com/s.aspx?sm=o7Ht7e8ijWSuxAlqT2oJig_3d_3d

]]>