PCI Compliance

[Ivanbb]

We're all getting spam about PCI compliance and banking policy. Is it legal?

Reading between the lines it seems the banks have been "shaking hands" for proffit again. Internet security is abysmal, but banks wish to sell Internet banking because it's a high profit margin, even with level of fraud. 10 years down the line bankers still can't stop Internet fraud and can't be bothered to invest in better security so now they are insisting blame fall on the client if thier network is targetted and hacked.

The last spam received from this American PCI company contained the email addresses of around 250 other companies. Sending the email addresses of others in thier database doesn't sound very smart to me. Nor does it sound like the action of a competent security company.

 

I have no intention of submitting security deatail of any of my customers to a company which shows this level of incometance, or for that matter to any database which I have no control over. Where do we stand regarding the law? Can a client be held responsible by the bank if hacked?

[slick132]

Hi Ivan,

 

Sorry, but what is PCI.

 

The banks have a long history of trying to sell products to cover for events which you don't need cover for. If you are the victim of fraud but are not responsible for it, you should be able to get back any monies taken fraudulently.

 

The bank is obliged to refund even while they investigate under rules brought in at the end of 2009 by the FSA.

 

8-)

[Ivanbb]

The security Industry is using PCI to mean Payment Card Industry. First proposed around 2002 it came into force this year. Barclays insist anyone handeling customer credit card information must follow the new rules laid down or potentially be held liable for loss in the event thier computers are hacked. Basically you must now register your company security details with Barclays chosen American security company and subject your PC or network to regular external checks. Effectively slic123, its a means of the bank cutting the cost of Fraud by blaming the customers security. "Reasonable care" is one thing and the principle can't be argued, but consider this: 1) The business is forced into giving it's security details to another company. 2) The security company currently doesn't know how to protect it's email database, let alone customer database. 3) If a new security exploit is discovered and the company is hacked, both Barclays and CC companies can wash thier hands of the blame. 4) Small IT companies providing Internet securety services to clients must qualify thorugh a governing security company that doesn't know how to send email without reveiling everyone in the email list. It seems to me there's a bigger risk in signing up than keeping personal security details personal. So... Can a company be held liable for not complying with these new banking rules?