You can't secure what you don't acknowledge.SM

Friday, August 15, 2008

Access to one card at a time isn't a bad thing?

I'm writing an article series that includes some information about PCI DSS. In my research, I noticed something interesting - almost comical - about Requirement 12.7:
Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

So, "access to one card number at a time" won't put credit card data at risk? An employee with a shady history could gather quite a few credit card numbers day in and day out this way...

I know it's not realistic to screen every employee all the time - especially in high turnover jobs. Rather, I'm just pointing out how information security is not black and white and there are always loopholes and gotchas.

No comments:

Post a Comment