Friday, November 30, 2007

Got advertisement? Maybe you should shout your PCI compliance from the rooftops!

Will advertising the fact that you are PCI compliant make you more of a target? I don’t believe so.

Here’s why. It’s no longer the proverbial pimply-faced kid who is hacking into the company. It is organized crime that is doing so. And what do these guys want? Money, pure and simple - and from sensitive information such as cardholder data. They are not here for the glory and peer recognition from other hackers, by breaking into a trophy account. In fact, if you advertise the fact you are PCI compliant, I think it will deter them from attacking you - you don’t store swipe or card data anywhere (or the data is encrypted). Why should they even bother when there are multiple, easier, juicier targets just another click away?

In addition, as consumers become more aware of stolen cards, they will care more about breaches and the impact it could have on them personally. The recent survey we did seems to vaildate this. Do consumers care if you are keeping their data safe? In the long term, absolutely. They will start to take notice and bring their business to companies who can promise and deliver a higher degree of security.

So go ahead, proudly proclaim your resolve to secure your customer data as it if were your own. And brandish your PCI compliance as a badge of honor.


Mike said...

Truth is, the targets are already aligned and statements of compliance will not entice or deter attackers. It is the security behind that compliance that keeps you safe.

Manu Namboodiri said...

No doubt the security behind is the critical aspect - however, I think compliance is an indication of that security, process et al. And from an outsider's (hacker's) perspective might be easier to go after softer targets... I would think this would deter attackers...