Comments on: PCI: Maybe It’s Not Just For Card Data Any More http://storefrontbacktalk.com/securityfraud/pci-maybe-its-not-just-for-card-data-any-more/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Sun, 20 May 2012 01:49:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Evan Schuman http://storefrontbacktalk.com/securityfraud/pci-maybe-its-not-just-for-card-data-any-more/comment-page-1/#comment-64165 Evan Schuman Fri, 13 Nov 2009 21:01:52 +0000 http://www.storefrontbacktalk.com/?p=4182#comment-64165 I hate to admit, Cranston, but you're absolutely right. The intent--although it wasn't stated--is that proper security procedures should apply to all content and not merely payment data. The reason the piece spoke of PCI is that this particular IT manager used PCI extensively and happened to be talking with a PCI assessor and that was the context of the conversation. So, our theory went, as flawed as PCI might be (please don't me started), if he at least treated his other data as though it was PCI-protected data, he'd be in a much better place. But that wasn't stated in the piece, so your comments are entirely warranted. I hate to admit, Cranston, but you’re absolutely right. The intent–although it wasn’t stated–is that proper security procedures should apply to all content and not merely payment data. The reason the piece spoke of PCI is that this particular IT manager used PCI extensively and happened to be talking with a PCI assessor and that was the context of the conversation.
So, our theory went, as flawed as PCI might be (please don’t me started), if he at least treated his other data as though it was PCI-protected data, he’d be in a much better place. But that wasn’t stated in the piece, so your comments are entirely warranted.

]]> By: Cranston Snoard http://storefrontbacktalk.com/securityfraud/pci-maybe-its-not-just-for-card-data-any-more/comment-page-1/#comment-64164 Cranston Snoard Fri, 13 Nov 2009 20:48:30 +0000 http://www.storefrontbacktalk.com/?p=4182#comment-64164 Oh, please -- PCI to protect flight maintenance records??? The aviation industry and aviation operations already have requirements for ensuring information is retained, reviewed, signed off, auditable, etc. And there are far better guidelines for protection of sensitive information than PCI. Let's not start the propaganda that PCI is some grand, all encompassing process that can now cross into other areas of data protection It isn't -- at best it is a simplistic (in the worst sense of the word), crude, immature hodge-podge of marginally effective controls. There are far better standards and practices to follow for sensitive and critical information than PCI. Oh, please — PCI to protect flight maintenance records??? The aviation industry and aviation operations already have requirements for ensuring information is retained, reviewed, signed off, auditable, etc.

And there are far better guidelines for protection of sensitive information than PCI. Let’s not start the propaganda that PCI is some grand, all encompassing process that can now cross into other areas of data protection It isn’t — at best it is a simplistic (in the worst sense of the word), crude, immature hodge-podge of marginally effective controls.

There are far better standards and practices to follow for sensitive and critical information than PCI.

]]>