Does PCI Matter?
StorefrontBacktalk had an interesting article today entitled How to Sell PCI To Business Units. In sum, it discussed the methods by which a CIO can explain the importance of PCI to the organization a large. Of the recommendations, I found one particularly humorous:
Yell “SECURITY BREACH” really loudly, all the time
Interestingly, much of the marketing around PCI-DSS and PA-DSS that I see in the market centers on this strategy. The TJX breach is often cited as the “why” PCI compliance must be achieved. But, as the article mentions, frequently citing this as the sole reason for achieving, and maintaining, compliance leads to a “boy who cried wolf” scenario.
As you can imagine, this led me to consider what I consider the best method of explaining the necessity of compliance.
Unfortunately, as of yet, I haven’t settled on an answer I find sufficient (but the thought process has begun…stay tuned). With that said, it did lead me to consider why the discussion of compliance is so often complicated.
Simply, the issue can typically be tied to a lack of understanding. In most situations, I suspect that there are relatively few in an organization who could not only explain the full importance of current compliance mandates as well as detailing the true breadth and reach of both PCI and PA-DSS compliance requirements.
So, perhaps, the first step in addressing compliance inside an organization is education. Don’t focus solely on the “why” without ensuring you can explain (in appropriate level of detail) the “what.”
What’s your perspective? Agree? Disagree? Anything to add? Critiques?
The comment form is below. . .
August 15, 2008