The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card companies to be a tool and a guide for merchants who store, process, and transmit credit card data toward instituting more powerful, and more sufficient security measures.
In the wake of a number of high profile security breaches that have occurred in recent history, consumer attention and paranoia have been focused very heavily on the procedures a merchant may or may not have implemented to protect their sensitive information.
Unfortunately, complying with all the requirements of the Payment Card Industry Data Security Standard can be a difficult, time consuming, and costly endeavor - enough to make some merchants hold off on their PCI compliance. The Payment Card Industry has since created a number of benefits and incentives... and fines and penalties to encourage merchants to more quickly adhere to their requirements.
But here's another problem. The Payment Card Industry Data Security Standard is not a static entity. It can't be. The very nature of electronic transactions (either over the web or from a POS system) and the criminals that target them are constantly evolving. If the PCI DSS remained the same through the years, it would very quickly lose any relevance and usefulness.
Now consider another story. There was once a man named Sisyphus. Sisyphus is famous for a particular endeavor - it goes something like this: every morning Sisyphus was made to push a rather large and distressingly heavy (although suspiciously round) rock up an impressively steep hill. Inevitably the suspiciously round rock would immediately roll back down the other side the moment he reached the top, and thus, Sisyphus was cursed to continue this unbelievably frustrating and futile task throughout eternity.
The continual struggle to achieve something, despite its seemingly pointless and unrewarding nature is often referred to as a "Sisyphean task" or "Sisyphean challenge," and many merchants fear that keeping up with the Payment Card Industry Data Security Standard would fall into this category. They feel that no matter how much time, effort, and money they throw at it today, there will just be something else waiting for them tomorrow.
The question, then, becomes: is this view well founded? And if so, does it really change anything?
The answer the second question first, no. If you wish to continue to accept credit card transactions then nothing changes. You still have to push that rock up the hill, even if it feels like you'll never be able to stop.
But really, is keeping up with the changing requirements of the Payment Card Industry Data Security Standard a Sisyphean task? Well, if you define that as a task that is pointless and unrewarding, then no. The PCI DSS is anything but that.
Consider the rewards of the PCI DSS - a secure system that customers can feel good about using, a reputation that can be protected, and protection from fines in the case of a breach that may still occur. These should be reason enough to push the rock, especially when you consider examples like the TJX companies who are now the poster child for what happens if you are not PCI compliant (i.e. Massive fines, required security audits, etc, etc.).
But given the changing nature of the industry, can the task every be truly accomplished? One would think that if Sisyphus was a little smarter then somehow he might have managed to balance the boulder up on that peak.
Keeping up with the Payment Card Industry Data Security Standard can be a similar balancing act. A merchant can reach compliance with the 12 requirements of the PCI DSS, and they can stay compliant, but it's not a simple thing. Let your attention wander and the rock can get away from you. But with some dedication and vigilance, you can keep the rock on top of the mountain and keep your business safe from intruders.
没有评论:
发表评论