Does PCI Compliance Apply To Me?

The interaction I have had offline with folk regarding my most recent series of posts on security has been intriguing.  Most discussions fall into one of two categories:

  1. Don’t care.  Somewhat boring.  Get back to pontificating about payments, platforms, and software in the future.
  2. Hugely valuable.  Need specific help.  Rather confused about a specific element of payment compliance…thoughts?

Let me address the first item, at least in brief.  I freely acknowledge my technical background and time doing consulting, in both private and government sector, have resulted in a unique interest in security and compliance and its impact on the potential for innovation.  With that said, I also firmly believe that the payments market (in particular bankcard) has recognized the importance of not only holistically addressing security but the importance of market perception that security is being addressed.

Will achieving PCI compliance guarantee no breach occurs?
Absolutely not. 

Will certifying an application as PA-DSS compliant eliminate security concerns?
Absolutely not.

However, establishing and (most importantly) enforcing a base level of compliance is a method of driving appropriate levels of protection for cardholder information.  In my opinion, it is by no means the end-game.  It is necessary to continue to innovate in authentication schemes, abstracted tenders, etc…but the opportunity to do so is dependent upon an accepted set of standards.

So, the original purpose of this post (prior to the slight diatribe above) is the question of whether compliance is applicable to you.

At its simplest, if you (or the application you build) store, transmit, or process cardholder data you are responsible to meet some level of compliance.  That is the basic “test” of compliance requirements…

When you consider PA-DSS requirements it is also necessary to consider whether the development is being performed for an “off the shelf” application or solely for internal usage.

The permutations can be somewhat complex.  To that end, on Commerce Lab, we have placed a simple questionnaire that can be used to help determine compliance requirements.  PCI Compliance is a complex discussion…if you want to discuss compliance requirements or their applicability, feel free to contact.

What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below. . .

November 17, 2008

Leave a Reply

Your email address will not be published. Required fields are marked *