PCI, security and education

Submitted by Kai on Wed, 2008-02-27 13:17.

Michael Dahn has an interesting post on PCI and the lack of education. 

One of the questions he poses is:

"Are we so willing to sell security that we ignore the care involved in properly educating someone how to use it?"

 I have been asking the same question too, and my answer is "Yes, it certainly seems that way". 

I think the reason is twofold - lack of education and understanding among the clients, and the fact that security companies are companies - they are out to make a profit. 

There is a need for proper training. No doubt. But on the other hand, most business' is not about security - they just require a minimum level of security. 

 

 

Hi Mike, thank you for

Submitted by Kai on Sun, 2008-03-02 11:44.

Hi Mike,

thank you for commenting!

I fully agree that informing the merchants is key. The merchants are too busy doing their own thing, and to expect them to also invest much time building competence in security and technology is not the solution. I believe that merchants (and others) should be able to trust their supplier to help solve these kinds of issues.

Hopefully we will start seeing more suppliers supply tools and solutions that are in accordance with regulations.

Kai, I agree that business

Submitted by Mike (not verified) on Thu, 2008-02-28 19:02.
Kai, I agree that business is about sales and security is sometimes a sideline issue. I argue that business is about risk mitigation and avoidance. Many small merchants go out of business because they do not understand the implications of storing sensitive authentication data. It would be like storing dynamite in your basement and not know the risk. Merchants should be informed so they can make risk decisions about how they want to operate their business.

Recent comments