1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they are restricted to using specific technologies and practices, they won’t be able to take advantage of new developments.
So, having said all that, my suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure. And to offset the impact of losses, they should continue to incorporate the notion of quarterly scans by independent assessors, which is one of the few good things about the PCI Data Security Standard.
So writes Steven Hofmeyr in “The effect of legislation.” I’m in general agreement. I suspect that the 12 step programs being promoted by Visa and Mastercard are there because of demands from their smaller customers. Even larger customers would like to constrain their investment, by being told when they can stop spending on security to avoid fines from Visa or Mastercard.