A major data breach was announced this week, with Hannaford Brothers grocery chain disclosing a large loss of protected credit card information. Details are sketchy and in some cases conflicting. But, the discussion online has raised some interesting questions about PCI. Rich Mogull, former Gartner Security analyst and blogger at securosis.com, takes a look at what might have happened and asks the question is PCI worthless. Both discussions are worth checking out the first as an exploration of the actual breach and whether PCI helped and the second as a more in-depth look at whether PCI is improving things or just consuming resources. Avivah Litan and John Pescatore at Gartner have also weighed in with implications for enterprises.
I also talked to Ted Keniston, one of our Professional Services compliance gurus and a PCI Qualified Security Assessor (QSA). He recommended a few recent blog postings and sites to check out when keeping up with the regs:
PCI Blog- Compliance Demystified as the leading reference site.
Three postings at PCI DSS News and Information cover these ten PCI myths:
10. PCI only applies to my e-commerce transactions.
9. Non-profits like charities are exempt from PCI
8. Outsourcing my card processing makes me PCI compliant.
7. I use a PABP application/service provider, so I'm PCI compliant.
6. A card association would never fine a college or university!
5. PCI compliance is an IT project.
4. PCI is inflexible with unreasonable technical, security, and business requirements.
3. PCI requires me to hire a QSA.
2. The card industry requires me to keep cardholder data.
1. I've completed my Self-Assessment Questionnaire, so I'm compliant.