May 29 2008

Who you gonna run to?

Published by at 9:59 pm under PCI

Alan Shimel faults me for saying sometimes you just have to walk away, in reference to TJX firing Cryptic_Mauler (the upper/lower case stuff is too much for me to type again and again). Alan talks about illegal behavior, turning your employer in to the authorities, standing up for your morals to do what’s right. Of course, he ignores the fact that nothing TJX is being accused of is illegal; stupid, yes, but not illegal. And the fact is there’s no one to turn TJX in to, not in the government and certainly not at the PCI Security Council or the major credit card companies.

Cryptic_Mauler was in an untenable situation: his employer was practicing the worst sort of security, they didn’t want to change, there’s no one he could report them to. Alan wishes there were someone CM could have reported TJX’s woefully inadequate security practices to, but if such a entity exists, I’ve never heard of one. The best thing he could have done was report the problem to TJX’s acquiring bank, but unless you’re really into credit card processing, the chances are you’ve never even heard of an acquiring bank let alone have any idea of who to call.

I like Alan, but asking me why I didn’t list reporting TJX to the authorities as an option is like asking me when was the last time I spoke to the Easter Bunny! Neither one exists! (my kids don’t read this, so I can say that). It’s fine to talk about taking the high moral ground when you’re living in a fantasy world, but the reality I live in doesn’t have anyone Cryptic_Mauler could have gone to to report TJX. I really wish it did, I could have used them myself in the past.

And why doesn’t the PCI Security Council have some way of reporting offending companies? I’ll hazard a guess and say they’ve probably talked about establishing just such a capability and decided against it in the strongest possible way. After all, if they had a way for someone to report violations to, that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want. But that’s only a guess.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “Who you gonna run to?”

  1. StillSecure, After All These Yearson 30 May 2008 at 5:47 pm

    Not ‘who you gonna run to” but “who you gonna call”?…

    You could try ghostbusters, but don’t bother calling the PCI council. So says Mike Fratto and Martin McKeay in response to my earlier article about when you have an obligation to go public. Of course I was responding to Martin’s…

%d bloggers like this: