Skip to main content

The WiKID Blog

Viewing posts tagged Security and Economics


That's the question proposed in this post: Breaches Make a Mockery of PCI Security Standards (Ouch.) I would say "Yes".


As Adam had pointed out the Lexis Nexis breach was due to " misappropriation by third parties of IDs and passwords from legitimate customers".


A credit union has sent TJX a expenses related to the breach at TJX. Interestingly, $500k is for "brand damage":

"The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint," he said. According to Blake, the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of around $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage.
And it looks like more states are pursuing regulations requiring retailers to take responsibility for data breaches.
HarborOne's action comes amid growing pressure from credit unions and other financial institutions around the country to get retailers to take financial responsibility for data compromises. Credit union associations in various states are vigorously lobbying lawmakers to approve bills that would require retailers to implement stronger data-security measures and to reimburse costs associated with reissuing payment cards after a breach.

One such bill is the Plastic Card Security Act that was signed into law in Minnesota last month after being actively pushed by the Minnesota Credit Union Network. And the California Credit Union League is now pushing a bill similar to the one in Minnesota. Other states, including Texas and Connecticut, have considered similar proposals recently.
Will the PCI data security requirements be too little too late?


In thinking a bit more about PCI security since my post on PCI visibility. I think what Visa and Mastercard need to do is to hire independent 3rd party penetration testers to pen test merchants and processors.

The PCI Three are making a big switch in September, when they will start fining acquiring banks non-compliant merchants. However, there are two problems with the auditing procedures: Auditors are paid by the companies they are auditing and audits are static snapshots. I'm not insinuating anything here about the ethics of PCI auditors, just pointing out the agency conflict and that a company might get compliant for an audit, then lapse out of compliance.


NetworkWorld has an article on the potential for conflicts of interest in the PCI world. In sum:

  • There are only 60 qualified security assessors (QSAs).
  • Many QSAs also sell products.

Recent Posts







RSS / Atom