The Oracle Australia and New Zealand Middleware and Technology Blog.

Monday, August 18, 2008

Have you ignored PCI

Think about who has your credit card details, when you look at your household dealings they include council, electricity, gas, water, building insurance, car insurance, petrol and it goes on. I am sure all of us have at least 50 relationships with various organisations via consumer spending with credit cards. In fact it would be greater when you factor in frequent purchases like clothing. When you consider the rapid growth of internet espionage, fraud and identity theft what is being done to protect us. PCI is the best example of legislation that is designed to protect the mums and dads.

The PCI Data Security Standard is nothing new; it has been around for a few years and depending on the region it can be front of mind or ignored. In the land of compliance (USA) of course PCI has seen heavy adoption, but in Asia Pacific the adoption has been lagging.

So what is PCI, well to put it simply the card merchants AMEX, Diners, Visa, JCB and Mastercard came up with a set of recommendations or best practices for any organisation that deals with credit card data. For example encrypting card numbers or making sure your systems are patched to the current versions so they are less succeptable to hacking are examples of these recomendations. There are 12 in total, and on reviewing them you have to wonder why they wouldn’t be adopted. It just makes good sense.

That’s clearly the problem, when does “good sense” make a good business plan. Rarely if at all is my opinion. With the IT industry unable to propose anything it seems unless tied to an ROI, TCO, SLA or some other acronym, simply put compliance especially in Australia is a tough sell. Where is the pain!

Well the pain is coming, credit vendors currently do fine organisations for failing PCI audits, but the organisation may never suffer the fine. Banks can at their discretion choose to absorb the fine and not pass it onto their customer. If the organisation that has failed the audit has significant financial heft, and hence contributes a large revenue stream the bank would for the sake of the relationship simply eat the fine. But these fines are now becoming more frequent and larger. Plus the smaller Level 2 and 3 merchants are coming under closer scrutiny. So now the banks will be forced through the size and frequency of the fines to start passing more of them onto their customers. This of course is great news for consumers like you and me since we deserve a better deal when it comes to privacy and protection of our financial dealings.

With this changing dynamic of banks pasing down the fines, and the continuous IT mantra of “do more with less” IT automation is coming of age across the board. Most organisations have come to terms with automating employee on boarding or provisioning user accounts, offering self service to change your home address, mobile phone number or a password. So why not automate your compliance regime.

The following deck outlines the 12 guiding principles of PCI and shows how oracle IDM and Database Security solutions can overlay these requirements.

If you would like more information on PCI, and how to start. Give us a call.

Read this document on Scribd: PCI Presentation by Carl Terrantroy

No comments: