If This Is Why We Fight, Then PCI is Our Vietnam
Chris Walsh at Emergent Chaos is the first that I’ve seen to show us the effects of the TJX incident. His piece, "Why We Fight" shows that TJX, at least publicly, doesn’t really care about the losses it has incurred as a result of the incident there (Are you a Band of Brothers fan, Chris?).
Timely, his post, as it corresponds to a couple of others I’ve seen recently:
- A great post by Michael Farnum at his blog, An Information Security Place, called "Dude, Where’s My Teeth" that discusses the lack of fines and judgments in the HIPAA space though "violations" exist.
- A comment by PCI Data Security Person on this blog about how because there will be "automatic fines" for non-compliance, there actually is an ROI for spending money proving your diligence.
Credit Cards, Cookies, and PHP Vulnerabilities
These two together are very interesting to me. Back in 2000, for some extra cash, I built an E-Commerce site for "The Cookie Lady" (not her real name). The Cookie Lady was a nice woman who did about a million dollars a year in sales of her gourmet cookies via phone and Internet. Now as you can guess, The Cookie Lady wasn’t very technical (in fact, I had to fire her as a customer about a half year into maintenance because I wasn’t willing to play LAN support). She’s also got a new E-Commerce provider, who switched her to what seems to be a very nasty little hand-built PHP site. Given her IT budget (not a lot of margin in cookie sales), I’m sure that she didn’t pay a ton for quality PHP E-Commerce code (if there is such a thing).
Now do you think that Cookie Lady, and the tens of thousands of other small business owners just like her whose volume means they fall under PCI, are going to be fined $5,000 a day for non-compliance? Because let’s face it, TJX doesn’t *really* care about the $5 million charge-off from the incident. And if the large companies don’t care about the fines, that leaves PCI threatening the small guys, the Cookie Ladies of the world.
Who Cares About PCI? Not The Data Owners…
If large companies don’t care about PCI fines, and if PCI isn’t in the business of using their fines to bankrupt small business owners, then what teeth does PCI have in the long run? Do you think it will be more like GLBA, or impotent like HIPAA?