Can the Government Be Sued For Plagiarizing PCI DSS?

Written by David Taylor
June 24th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

  • PCI is Legalized in Nevada, Along with Prostitution
    Nevada recently revised its data protection law, SB 227, to essentially add the full weight of the Nevada legislature to the enforcement of PCI DSS compliance. You likely already know that. What’s interesting about it is how the new law, in addition to requiring PCI compliance, also adds language requiring encryption (which is vaguely defined as being standardized in some way) between entities, though not over private networks within an entity.

    Considering that this provision is already covered in PCI (even the exclusion of private network encryption), this is yet more proof that government organizations should not be writing technically detailed security legislation.

    (Read our related special report about the battle between states and retailers.)

    PCI DSS emerges after an arduous (if controversial) vetting process. Since security legislation does not have to go through such as process, I remain skeptical that state, federal or international legislation can improve on what PCI DSS already provides in terms of technical detail. What Nevada is doing, enacting PCI DSS into law, makes a lot of sense from a legal perspective.

    Legislators save themselves and their staff a lot of time researching and writing detailed laws, yet they still get to issue press releases about how they are protecting their constituents. In addition, by specifically saying that companies that collect data and do business in the state of Nevada must comply with the “current version” of PCI DSS, this makes the Nevada law “evergreen,” thus saving valuable trees, which Nevada certainly needs.

  • TJX Forced to be a Security Guinea Pig
    You can’t make this stuff up: As part of TJX’s security breach settlement, TJX is being forced to participate in “pilot programs” related to credit card security, such as chip-and-PIN, which is all the rage in Europe, and end-to-end encryption, which is all the rage among certain POS vendors and processors. To me, as I read the settlement agreement, this stuck out like a sore thumb.

    Where would 41 state attorneys general get the idea of forcing TJX to participate in pilot programs as part of their settlement? I’m guessing the answer is: from TJX itself. Like any global retailer, TJX is certainly participating in chip-and-PIN programs, at least in Europe. Plus, POS vendors and processors are beating down the door of every retailer to get them to implement end-to-end encryption, or tokenization, or both.

    My point is: this “punishment” for taking data that is “worth cash” and treating it “like trash,” as one desperate-to-be-quoted elected official put it, is to implement the very programs they are already implementing. Of course, the ideas for these pilot programs could have emerged from months of painstaking research into current trends in the payment industry, which culminated in a strategy to make TJX’s data security truly state-of-the-art. But, I doubt it.

  • The Bottom Line is Enforcement
    Like it or hate it, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process. That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws. Enacting PCI into law may help, but actually allocating government funds to review compliance on a regular basis does not seem likely, so these laws (like the breach disclosure laws) will be ignored by all except compliance officers, vendors, consultants and security geeks.

    As a security geek, I’m all in favor of anything that will help protect valuable data, as long as it incorporates solid risk management principles and has built-in enforcement mechanisms. If you find any laws or standards that do this, let me know. Do visit our website, PCI Knowledge Base, if you want to view our research. If you want to have a personal discussion about this, just send me an E-Mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.