tssci security

Way to go Arnold -- why AB 779 was a lose-lose situation for small business

A lot of commotion has recently been stirred up around California Governer's, Arnold Schwarzennegar's recent vetoing of a bill (AB 779) that would strictly mandate all merchants to comply with. Many have scoffed at the Governer's "caving to lobbyists and members of the retail industry." You know what?? I actually agree with the Governer's vetoing of this bill. Even though I've expressed some criticism recently over the ambiguity of PCI DSS, I really think the Governer has it right.

This bill is only friendly to big business, not the little guys. Compliance with state laws and regulations costs small businesses money, sometimes more than they can afford. Many businesses thus stick with cash-only policies and weigh the trade-offs from losing business from processing debit and credit card transactions. Does anyone know how much money is spent on getting licenses for business and all that other stuff a mom and pop retailer needs to do?

Bill Brennar of Security Bytes is dissapointed with the veto. He states "Apparently no one told the governer that PCI DSS is NOT working." Okay, where's your data to back up this claim? He later on says "Big business, hackers, and ID theives won today." Hmmm, it's easier for big business to comply because they have vastly larger bank accounts and can throw more people at the problem. Small business?? not so easy. Just take a look at how much of a percentage health insurance for your own family ends up costing you when you own a small business.

In addition, the law would conflict with PCI DSS. PCI already has multiple levels (four) for compliance that apply differently to merchants based on the number of transactions processed annually. To push another regulation on every business is just pointless. Chaulk up another useless regulation with no teeth that we have to think about. The list goes on and we all know them... HIPAA, FISMA, etc.. Who would make sure merchants are compliant on a every-other-day basis?

I can compare this bill to NASCAR regulations. A couple years ago, NASCAR introduced a rule that would require teams to dial-in shocks and keep them within spec following a race. The teams with the most bucks turned to sophisticated seven-post rigs to dial-in their suspension easily. What does this mean? The teams with less money get shafted... literally. For the teams that can't afford this tool, more time and money is spent meeting suspension specifications.

Too much effort to comply "not an excuse?" Well, when you're a small business, you have less money, less time, and less resources to do it. What you can do is far less than what a big company can do. For anyone who owns their own business, you know how much time you spend doing government paperwork.. Almost half.

Also, think about the risk here. What's a better target? Mom and Pop with 100 cc#'s, or a multinational with 100's of thousands? Surely, a high-profile nation-wide company/chain inherits a greater risk of security breach just because of the cost-benefit to a hacker. Hacking a little town store is just not worth the trouble. A small-time criminal takes a bigger risk (stupidity, desperateness, etc) holding up a convenience store because the payout isn't even nearly as much as a bank heist (planning, worth, etc).

Posted by Marcin on Tuesday, October 16, 2007 in Politics, Privacy and Security.

blog comments powered by Disqus
blog comments powered by Disqus