Here's why PCI DSS exists

February 19, 2007 1:53 PM EST
Some criminals tampered with credit card scanners in grocery stores on the East Coast to gather credit card numbers (see story here). Most of the customers that were interviewed seemed worried about the problem.
Several shoppers interviewed yesterday at the Seekonk Stop & Shop said they were astonished that they now had to worry about another way identity thieves could steal their credit card data.
However, you gotta love this part of the story:
But at least one shopper was blasé. Al Mendes of Seekonk, who had just finished shopping yesterday afternoon and charged his purchases on his credit card, said he would not worry if his number got stolen. "The credit card company eats it," Mendes said. "Not me."
This guy's attitude is the main reason PCI DSS exists. If the consumer was responsible for fraudulent charges, the credit card companies would not put any real effort into stopping this type of crime, and we would be responsible for protecting our own data. But since the credit cards are responsible, the economic driver to be more proactive on security is clear.


FYI, I am thrilled that this is a private industry standard and not something the government tried to build. HIPAA, SOX, GLBA, etc. are proving to be ineffective for the most part, so one more regulation to try to solve this problem is not needed or wanted.


And I want to finish this post with my favorite quote from the story:

"They need to upgrade their security or whatever, because something's wrong," said Matt Tucker of East Providence.

Pure brilliance.

Related Discussion: