Payment Application Security: does it matter?
I spend a fair amount of time discussing security and compliance. In particular, surrounding the details of achieving PCI and PA-DSS. But, more broadly, that compliance is an outcome of a risk-based approach to security.
In these discussions, I’ve noticed 2 common questions, or perhaps, concerns that arise:
- Why should a merchant or software company care about compliance?
- What can they do to address compliance?
I will address both questions over the next few days…but I find the first question particularly intriguing. There are standard set of responses to the query that you hear frequently repeated: Opening liability to fines from card associations or acquirers, other liability for breached data, public perception of corporate entity, risk to business health, compliance is* mandated, etc. etc. etc.
The discussion of the above typically suffices to quell concerns regarding the importance of compliance to the merchant. In fact, I would postulate that, over the last year, that particular concern (or objection) has decreased in regularity. There has been acceptance, albeit tacit, of the importance of compliance in specific (and security in general).
With that said, seeing tangible examples of the importance of compliance is always interesting…
For example, during my catch-up phase following vacation, I happened upon a SlideShare presentation entitled Reference Guide on our Freedom & Responsibility Culture given by Netflix to new employees. For convenience, I have embedded the presentation at the end of this post.
There was a fair amount of discussion surrounding the presentation itself. Lengthy, and at times heated, diatribes discussing the way in which Netflix positions its stance on “hiring stars” and employee retention. In addition, a surprisingly hefty amount of postulation regarding their vacation policy (or lack thereof).
However, that wasn’t what I found most intriguing in the presentation. On slide 59 they discussed the sort of rules that are required for them to be a successful company. The first subset was focused on rules that “Prevent irrevocable disaster.”
The first example is expected for a publicly traded company. Misstated financials would be a death knell for an organization such as Netflix. Period. End of Story.
But their second example of irrevocable disaster is worthy of being memorialized not only in quotation but in the image to the left.
“E.g. Hackers steal our customers’ credit card info”
That is a powerful statement.
The criticism that PCI/PA-DSS is not actually something of concern to the merchant community is addressed in 6 words in a Netflix presentation.
I will concede that Netflix represents a Tier 1 merchant and, as such, is more aware of the importance of compliance. But, likely, if you had the opportunity to query their team tasked with security & compliance they would give the same set of reasons for the importance of security as listed in the beginning of this post.
In addition, it is worth noting that Netflix didn’t say an “irrevocable” disaster was not being found in compliance with PCI standards. Rather, the concern is the loss of customer data. To that end, it can be noted that they have adopted a risk-based approach to security & compliance. Compliance is not a milestone…rather, it is an outcome of an ongoing focus on security of customer data.
The entirety of the presentation is interesting, and worth perusing although it does take a rather long time to consume in its entirety.
What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below…
* With appropriate caveats regarding requirements for merchant sizing, etc.
August 11, 2009