By David Dorf on Mar 29, 2012
Mention "PCI" to any retailer and you'll instantly see them take a deep breath and start looking for the nearest exit. Nobody wants to be insecure, but few actually believe that PCI does anything more than focus blame directly on retailers. I applaud PCI for making retailers more aware of the importance of security, but did you have to make them PAINFULLY aware? POS vendors aren't immune to this pain either as we have to undergo lengthy third-party audits in addition to the internal secure programming programs. There's got to be a better way.
As a vendor, my biggest issue with PCI is that they require vendors to disclose the details of any breaches, in effect "ratting out" customers. I don't think its a vendor's place to do this. I'd rather have the trust of my customers so we can jointly solve the problem.
Mary Ann Davidson, Oracle's Chief Security Officer, has an interesting blog posting on this very topic. Its a bit of a long read, but I found it very entertaining and thought-provoking. Here's an excerpt:
...heading up the list of “you must be joking” regulations are recent disturbing developments in the Payment Card Industry (PCI) world. I’d like to give [the] PCI kahunas the benefit of the doubt about their intentions, except that efforts by Oracle among others to make them aware of “unfortunate side effects of your requirements” – which is as tactful I can be for reasons that I believe will become obvious below - have gone, to-date, unanswered and more importantly, unchanged.
I encourage you to read the entire posting, Pain Comes Instantly, and then provide feedback to the PCI Council.