Tuesday, January 27, 2009

Data breaches and PCI

Lot of people have blogged about PCI (here, here and here) and the latest Heartland breach. While many of them argue the effectiveness of PCI compliance, I think it is too early to make a judgment on that. One way to measure the effectiveness would be to compare the breaches reported by PCI compliant and non-PCI compliant companies over the course of 6 to 12 months and of course this is assuming that the PCI complaint companies went through rigorous external audit requirements.

Branden brings up an excellent point in his blog that many of the companies may not be PCI compliant at the time of the breach.  " PCI Assessments are point-in-time and many companies struggle with keeping it going every day."

Many of the online PCI scanning vendors are set to automatically scan for vulnerabilities on a daily basis, so it would be good to know if these companies are compliant on a daily basis rather than once a quarter or once a year.

No comments: