We cant turn on the evening news without hearing of yet another high profile case involving the unauthorized disclosure of credit card numbers. So what is really fueling the push for compliance? Is it lawyers?
Lets face it. The way the law is written today, no one is afraid of being sued for PCI compliance. Why? For one, the litigation end of PCI is still in its infancy and is working its way down the tree, or, it has not reached a point where lawyers know precisely how to litigate.
The term used here is, rising to the bar. In lawyer speak this means that once lawyers figure out the concept and put together the documentation, procedures and such, theyll know exactly how and when to sue for PCI violations. Right now, this bar has not been hit and its still too expensive and very difficult to prove PCI violation damages for individuals and small companies.
If this is the case, whats pushing the compliance race?
It shouldnt be surprising that at the forefront sit motivators that cant easily be quantified monetarily. After all, these are the ones that can be spun as the worst possible risks (and rightly so as they are truly unknown). Public perception is one of the leading reasons why compliance is moving forward. No one wants to be perceived as the company that dropped the ball due to a PCI compliance violation that led to losses and/or disclosures.
Thanks to our sensationalist pals in the media, people are especially charged over compliance issues so the climate is perfect for a company to take a huge financial hit over perceived poor practices and/or PCI violations. After all, the consumer will typically respond to something of this nature by moving dollars away from you and shifting them to your competitors.
At the end of the day, business is what its all about. Security is now a major factor in the business world and will continue to drive behavior on both consumer and business fronts. Regulatory compliance will certainly be the fuel for this continued pattern.
Fines, at the moment, prove to be the strongest motivator for compliance. Since the PCI group has formed an enforcement body, the fear of fines is now palpable. With recent high-dollar fines being levied against the big fish, businesses realize that there will be consequences to sitting back and playing the odds of not being audited or worse, the center of a massive disclosure.
HIPAA is a little different in that fines arent going to be a major driver. However, just like PCI, HIPAA compliance is driven heavily by public pressure. People tend to not like it when personal health information leaks out to marketers. Next thing you know, youre getting junk mail targeting those who have moles on their backsides, and thats one of the tamer examples.
On the flip side, jail time is the punishment arm of HIPAA, yet there arent many people cooling their heels because they failed to comply with HIPAA standards.
Now, given that we know that the lawyers arent our problem right now and that public perception and fines are our primary motivators, the name of the game is to get yourself compliant so that when the lawyers finally get their hooks into successfully litigating in this area (and you can be sure they will), youre not the one theyre coming to ring up.
The idea is to have the ability to provide tangible proof that you are performing your due diligence and are in no way operating in a negligent fashion. This way you wont take a financial hit, and more importantly, you'll avoid participating in the prison system.
This article was first published on EnterpriseITPlanet.com.