- What does Cisco have against Quebec?
- Attrition.org nails another nitwit
- Diary of a deliberately spammed housewife
- Seven cloud-computing security risks
- 20 great Windows open source projects
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Corporate America has been battered by ineffective information security for a long time, with untold billions of dollars in collective losses through the years. Sites that tracked defaced Web pages stopped listing them when they become too numerous to enumerate. Similarly, data breaches are now so common that even large breaches barely make the news.
To the rescue comes PCI-DSS -- perhaps the most effective security standard created to date. PCI is a welcome and timely standard, beneficial to consumers and merchants. Yet far too many people have derided PCI rather than defending it, pointing to a few of its shortcomings instead of focusing on its many benefits. Rather than embracing PCI as a catalyst for security change, people are caught in an information security version of Stockholm syndrome and long for the good old days before standards and regulations.
Stockholm syndrome, for those who have forgotten the 1970s (or aren't Blink-182 fans), is a psychological response sometimes seen in an abducted hostage, in which the hostage shows signs of loyalty to the hostage-taker, regardless of the danger in which the hostage has been placed. Stockholm syndrome is also sometimes discussed in reference to other situations with similar dynamics, such as battered person syndrome, rape cases, child abuse cases and bride kidnapping.
People point to the Hannaford Bros. breach and say, Aha! PCI does not work. Even David Hogan, CIO of the National Retail Federation, has missed the point. In a letter to Bob Russo, president of the PCI Security Standards Council, Hogan wrote that "PCI, which has been in existence in one form or another for several years, was supposed to prevent such crimes. It is a valiant attempt to prevent large stockpiles of credit card data from getting into the wrong hands. However, it is unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks."
Hogan's mistake is in thinking that PCI could somehow prevent every data breach. PCI can't prevent every data breach, just as laws against cocaine are powerless to prevent the import of every kilo of cocaine. Even so, it does not mean that these laws should be abandoned.
Rss FeedRss Feed
Dear Nurse: Putting aside your rudeness I will agree: The Museum of the American Cocktail is, as far...- Mark Gibbs
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comments (1)
Is it me, or has cut and paste gone awry?By Anonymous on May 15, 2008, 9:24 amI'm sure I have read pages 2-4 twice!
Reply | Read entire comment
View all comments