What happened to the Citibank hack?
Unlike other hacks, the hack of the US division of Citibank, the world’s largest card issuer, has essentially disappeared from mention as if it never happened.
So what’s going on? Remaining are deep and wide-ranging unanswered questions, including was Citibank PCI compliant? Was compliance self audited or an external auditor and if so by which firm?
Then how will MasterCard and Visa treat one of their own as they meter out punishment and fines compared to main street merchants? How will the US government, states attorney generals and the various banking regulators react to a major bank being hacked?
When an event of this magnitude is possibly made to vanish from any mention in the industry press, something is amiss,
The main street merchant wants to know and deserve to know?
As the event unfolds, merchants should be up in arms if there is not relative equity in the retribution against Citibank by all the stakeholders. For the PCI DSS council, in my opinion, the chickens have come home to roost on the validity of PCI if Citibank was compliant. But then the Council’s stand is always; if there was a successful hack then the hacked could not have been compliant .To that I can only respond . . . . . BULL!
For several years I have shared that businesses, banks and merchants alike, are resource constrained by money, time, knowledge and expertise. Hackers on the other hand have none of those constraints. So when the world’s largest issuers of credit cards with all its resources is unable to thwart a hacker, how can a main street business owners expect their comparatively meager resources to effectively protect cardholder data?
In my view, the industry, particularly in the US, takes a wrong view of data security. US resources should be focused on the apprehension anywhere in the world then severe punishment of the perpetrators. The punishment should be so heinous as to cause only the most suicidal hacker to continue their effort.
