Monday, 12 March 2007

Reply to "PCI compliance in Europe".

I was quoted on the excellent PCI Compliance Demystified blog by Michael Dahn earlier in the day. I started to add a reply to his post and it turned into a blog, so I'm putting it here:

Hi Michael,

The lack of PCI awareness in the UK and Europe isn't due to the fact that there is less fraud, if only that were true. The problem is that PCI has no teeth over here, because there are no disclosure laws. There are no disclosure laws because that kind of thing has to be driven through the European parliament in Brussels, and that takes forever. Europeans never agree on anything, we're all far too different. It would, in short, cause a right stink and have to be debated for years. VISA and MasterCard brought out the PCI rules over here at the same time as in the US, but in the US you were already talking about disclosure, or at least in California they were, and that's where 90% of America's wealth seems to come from, so people listened. In Europe, the wealth is less obviously distributed, although I would guess London's got to be the leader, Germany and France can't be too far behind and certainly have a lot of influence. We would be foolish to ignore the Nordic nations too. The thing about Brussels is it says that everyone's got to have an equal vote, so nothing ever gets sorted out quickly.

We could introduce our own laws in the UK, we tried with the UK Companies Act, and there's the UK data protection act. There's LOPD in Spain and the EU data protection act too, but none of these are the thing we need, disclosure. It's beautifully simple. Tell the world when someone's lost your data and everyone will hate them. It's the equivalent of squealing to the teacher at school. Maybe it's because we think it would be un-British that we don't do it? I don't know, but whatever the reason, PCI isn't working.

There's little enforcement of PCI in the UK and Europe because there's little to back up the credit card companies when they decide to impose fines. Like the vendors, they have to cite events, which, believe me, are very hard to find... because there is no disclosure. Unless of course they are publicised already, but the chances are they are publicised because they have already been disclosed, by a customer or leaked by internal staff. In that case the vendors are all over them, the QSAs, the press, the FSA, etc. VISA and MasterCard might be in the queue, but they aren't going to make big bucks out of it once everyone else has had a slice.

There have been some pretty big breaches, and we have to assume not all of them have made the press. I recall reading a front page headline in the Sun before I moved over to Spain. There was a breach at Nationwide last month which warranted a £1million fine, from the FSA, not VISA or MC. That's been all over the news. Still no disclosure laws though.

In the US, something happens in California, a bill comes out and the rest of the States gradually adopts it because it's the right thing to do.

I spoke to Mike Howse from Protegrity last week and he told me that there is an estimated 3% PCI compliance rate in Europe, with around 19% "some way there". That is probably over inflated to avoid the attentions of VISA and MC.

Ingrian are the only people I know doing good PCI trade at the moment in Europe - that's because they got in with the QSAs early and Jon Shaw did a LOT of hard work in sales.

When I was with Vormetric we had a great PCI solution, and it still sells like hot cakes in the US because Heather Mark, ex-TrustWave PCI guru is now their director of marketing, her husband Chris is a big name at MC. Could we sell it in the UK and Europe? Not then, and as far as I'm aware, not now either. These accounts are rare, because the retailers don't yet have to care. Fraud they can pay for in the blink of an eye, fines are non-existent. It makes me want to weep just writing it, but that's the sad fact. Until we have something that really makes it painful NOT to comply with PCI, it just won't happen here.

In November there will be disclosure laws discussed in Brussels, until then, I'm staying away from trying to push the PCI buttons in the UK or Europe. I've tried for 7 years already, and it doesn't really work. When I was hawking encryption we had to look for events, PCI was no driver.

You are privileged to live in a country where the most powerful state is the one with all the technology. It means things move forward at an incredible pace. The UK is generally thought to be about 4 years behind the States in terms of IT security, although it can be as many as 6 in some cases, but usually the leader in Europe still.

I'm looking forward to data security really being sewn up in the States in the near future. I may even have to move there if the market here stays as it is. People here aren't even really interested in encryption yet. I'm getting tired and nervous waiting and it feels like I've been talking for too long without anyone hearing.

A case in point - when I worked in distribution last year NAC was just becoming popular, and I mean just. I gave a seminar on IT security back in November and you'd be surprised how many resellers didn't know what it was. I wasn't surprised to read in a blog yesterday that it was big in the States as far back as 2003.

So what else was big in the US 4 years ago? Let's do some business here.



No comments: