Way Out of Perspective
You’ll note I’ve been a little harsh on “compliance” and standards recently. Sorry about that. I have little personal tolerance for unecessary bureaucracy.
Those things have their place, they’re not going away, but there are many, many implications of “compliance” we don’t consider.
I’d like to take one more jab at PCI. After all, it is PCI Awareness Month next month (possibly the most superfulous thing I’ve read since “security 2.0“). There are plenty of folks unhappy with yesterday’s post. I remain unconvinced that PCI’s “teeth” will have any real bite. Maybe I’m just from Missouri, and you have to “show me” before I’ll believe it.
This morning, I started thinking. Note that PCI is not a government sponsored (maybe by proxy, but not direct) penalty. Now I’m usually more anti-big government than the next guy, but let’s take a look at a couple of real happenings:
1.) TJX makes $208 million for last quarter. They claim suffered $5 million in losses due to the incident (2.4% of PROFIT, dang). You and I know that because of accounting rules, TJX actually has incentive to exaggerate that loss. This is one of those rare cases of positive impact of an incident - companies can impact taxes for a profitable quarter by throwing money at various incident related expenses. I mean, they were going to have to go through all the “compliance” rigamoral anyway, why not wait until they absolutelty HAVE to spend the cash (i.e. when there’s an incident).
2.) Some kid who ran a WAREZ ring is going to have to pay a half a million dollars and spend 10 years in jail.
So let’s think about this in perspective. A corporation causes real fiscal loss to us, the consumer. The government’s job is to protect the citizen. The corporation essentially gets a tax break in return.
Some kid copies some software, is going to be fined 1/10th of the “tax break” the corporation recieves, and will go to jail for 10 years.
There ought to be a law. But because PCI already exists, wouldn’t that make it more difficult for law makers to justify the effort of making a “SOXesque” law that sends CEO’s to jail when hundreds of thousands of people’s credit reports are screwed up?