« Cyber Law Professional Education | Main | Real-Time Evidence for Cloud Investigations »

March 24, 2011

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Larry

Interesting, but shouldn't they as MEMBERS of the Industry who issued the Standard be reporting TO THE INDUSTRY there is an inconsistency between required business needs and practices stated in the language contained in the Standard?

Standards are only as good as they are applicable. If language needs to be modified or added to meet business needs, such as "Store card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions utilizing secure, limited access means.”, then it should be suggested to the PCI. Subsequently, examples should be provided of what those 'means' would include.

Benjaminwright

Larry: Thank you for your comment. I do not believe that the tradeoff between data protection and record retention is well understood. I have seen very little discussion of it in the context of PCI or data security guidelines, such as the "right to be forgotten" coming out of EU. One reason I published this story is to help all of us learn to balance the need for destroying sensitive data, on the one hand, against the need to preserve records for legal and other purposes, on the other. --Ben

Larry

Ben your point is understood and its possible the distinction is NOT well understood, but isn't it imperative that the body issuing Standards for the Industry be made aware of this distinction?

Writing Standards that are going to be ignored by the Industry they impact is counter productive, and if it happens because they don't understand how their work practices... the two should talk!

Albatross

I worked for a major retailer a few years ago who proudly upgraded all the security cameras in their retail stores with new, high-quality versions. Shortly thereafter it was discovered that the cameras had sufficient zoom and clarity to clearly record the front and back of a credit card as a customer made a payment.

Faced with having to add their video security system to the PCI security domain, the retailer dispatched contractors to install limiting brackets on their brand-new, high quality cameras, to prevent their being able to zoom in sufficiently close to capture the credit card image.

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators

Twitter

  • Follow benjaminwright on Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog

  • Google+

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Become a Fan

E-mail Mr. Wright

  • Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.

    Contact Form

Find More on This Blog