Pelican Parts Forums - View Single Post - Cards Stolen in Target Breach Flood Underground Markets

mikester · 01:32 PM

The over-arching regulating body for credit card information security is the card industry itself - it is referred to as PCI Compliance or PCI Security Standards.

https://www.pcisecuritystandards.org/

It is a standards body lead by the industry stake holders like AMEX, Visa, MC, including some of the companies that provide security technologies that are depended on for this privacy and security.

I've worked quite a lot in this industry and have consulted for a number of companies in their efforts to maintain and become compliant. Unfortunately the challenges are not 'static' and they evolve ahead of the security technology at times. With that happens to companies who are doing a good job of trying to stay ahead of the curve it's a bummer but when it happens to a company that was not doing a good job or even the bare minimum to maintain security then they were simply asking for it. It isn't when are you going to get hacked it's where have you already been hacked if you're a large company with credit data stored.

Still, the scope of this sounds very much like an inside job to me and all the PCI compliance in the world isn't going to stop an inside job if the insider was on the security staff or had administrative rights.

PCI compliance is actually a pretty good set of guidelines - compared to HIPAA which is really about recommendations and not requirements as I understand it. I'm starting to consult on HIPAA as well and finding it far less good.

HIPAA is the law and it is lame.

PCI is the industry and it is not lame. You want a simple law probalby that says the data must be 'secure and private or else your organization is liable for the fraud.' Outside of that, like what HIPAA tries to do - the law should not outline the way it is done outside of saying using 'industry best practices designed to been the evolutionary curves of security breaches.'

Let a judge decide if they did their due diligence and if they did they did and if they didn't they are liable for all the consequences of not being diligent. In my opinion at least...