BY DAVE TAYLOR,
Earlier this year, Visa painted a very rosy picture of PCI compliance among merchants when they announced that 77% of Level 1 US merchants are compliant and 62% of Level 2 merchants are now compliant. While we applaud Visa for having the courage and spending the money for incentives to encourage compliance management, the process of achieving PCI compliance has, for some merchants, resulted in a shift away from a strategic approach to security toward what can only be called a "checklist mentality."
As part of a research program recently launched by the PCI Alliance, we've talked to a number of merchants who feel that the drive to PCI compliance has caused them to make some security technology choices that are contrary to their system architectures and prior planning. Others have expressed concerns that they are simply not able to process all the data they are collecting from their various auditing and logging tools, which means they are getting little value from the many thousands of dollars they have spent, other than the "PCI Compliant" seal of approval.
The bright side is that for merchants that had done little in the way of data security or were still retaining track data or CVV data, PCI compliance demands "woke them up" to the importance of removing this data from their systems, which greatly reduces the card fraud risk.
Read complete article...
Earlier this year, Visa painted a very rosy picture of PCI compliance among merchants when they announced that 77% of Level 1 US merchants are compliant and 62% of Level 2 merchants are now compliant. While we applaud Visa for having the courage and spending the money for incentives to encourage compliance management, the process of achieving PCI compliance has, for some merchants, resulted in a shift away from a strategic approach to security toward what can only be called a "checklist mentality."
As part of a research program recently launched by the PCI Alliance, we've talked to a number of merchants who feel that the drive to PCI compliance has caused them to make some security technology choices that are contrary to their system architectures and prior planning. Others have expressed concerns that they are simply not able to process all the data they are collecting from their various auditing and logging tools, which means they are getting little value from the many thousands of dollars they have spent, other than the "PCI Compliant" seal of approval.
The bright side is that for merchants that had done little in the way of data security or were still retaining track data or CVV data, PCI compliance demands "woke them up" to the importance of removing this data from their systems, which greatly reduces the card fraud risk.
Read complete article...