People whine about Sarbanes-Oxley as if it were government accountants with a sense of neither humor nor proportion watching everything an executive does, 24/7. Thing is, much of the actual regulation is courtesy of the Public Company Accounting Oversight Board, a private corporation. My hat is off to the accounting profession, which successfully met an enormous reputational crisis born of bone-deep malfeasance and conflicts of interest, by deepening the “self-regulation” which is a hallmark of the field.
If these guys are doing a lax enforcement job, you sure can’t tell by the volume of whining coming from boardrooms.
Meanwhile, we have what seems to be the poster-child for ineffective regulation, the Payment Card Industry data security standard. This is the set of requirements laid out by Visa and MasterCard, which is due for revision in a month or two. The last year has seen compliance rise from 10% to about 20%. Meanwhile, the revision will reportedly eliminate the requirement for data at rest to be encrypted, and will, in a year or two, require attention to application-level issues such as SQL injection.
One of the biggest technology challenges is PCI’s requirement for encryption, [industry analyst Avivah] Litan said. Some companies are uncertain whether they’re required to encrypt data or can implement other compensating controls, she said.
Another factor in the slow pace of adoption is the perception that PCI, unlike government mandates, is a private standard lacking enforcement teeth, said Nigel Tranter, a PCI auditor at Payment Software Co., an auditing firm in San Jose.
Wrong. The standard does have teeth, but using them would be to kill goose that laid the golden eggs. Unlike the PCAOB, whose industry makes more money the harder it is for firms to clear the bar it sets, Visa and MC face a hard choice. If they drive too many CardSystems into the ground, they shut off their own revenue stream. Every consumer they frighten into using cash at Sam’s Club or OfficeMax, they can count in their own loss column.
It isn’t the fact that PCI/DSS is non-governmental that matters, as the PCAOB proves in spades. It’s the incentives facing the folks doing the enforcing.