[145650] in cryptography@c2.net mail archive
RE: Has there been a change in US banking regulations recently?
daemon@ATHENA.MIT.EDU (eric.lengvenis@wellsfargo.com)
Fri Aug 13 14:40:33 2010
From: <eric.lengvenis@wellsfargo.com>
To: <jsimmons@goblin.punk.net>, <pgut001@cs.auckland.ac.nz>,
<cryptography@metzdowd.com>
Date: Fri, 13 Aug 2010 13:33:00 -0500
In-Reply-To: <201008130932.57716.jsimmons@goblin.punk.net>
> Jeff Simmons wrote:
> It wouldn't surprise me if there's been some blowback from the adoption o=
f
> PCI-DSS (Payment Card Industry Data Security Standards). As someone who
> has
> had to help several small to medium size businesses comply with these
> 'voluntary' standards, the irony of the fact that the big banks that requ=
ire
> them often aren't in compliance themselves hasn't escaped my notice.
I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It is=
n't usually enforced by big banks except insofar as they are liable for PCI=
-DSS compliance when outsourcing to or partnering with other companies. So =
they may be forcing it on the SMBs you've worked with because they're liabl=
e in some way.
PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the paymen=
t card security standards committee) and we wrote an open letter back in 20=
05 to Visa and Mastercard asking them not to set new, separate standards fo=
r the financial sector but to work from within X9F. They ignored us. Even t=
hough you clearly indicate that they aren't truly voluntary via your use of=
quotes, when the PCI group (VISA et al.) can unilaterally level huge fines=
and/or penalties for non-compliance they really are compulsory.
Luckily, PCI-DSS compliance !=3D security. Or is that unluckily because of =
how much money is wasted complying that could be better spent securing.
Eric Lengvenis
InfoSec Arch
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
