Data security compliance regulation such as PCI DSS 1.2 is a double-edged sword – as a security checklist it’s an important step for the payment card industry but too much regulation, especially for small to mid-sized businesses is too much of a good thing.
As my maternal grandmother, who spoke fluent Yiddish would yell at us – you have ” grosse augen” when we would pile too much food on our plates. ” Grosse augen” is literally “big eyes” – having eyes that are bigger than your capacity.
Yes, US publicly traded companies are already subject to multiple regulations – if the company sells to customers and stores and processes PII (personally identifiable data) they will have to deal with PCI DSS 1.1, California State Privacy Law, Sarbanes-Oxley PCI DSS 1.1 protects one asset – payment card numer and magnetic stripe, while Sarbanes-Oxley is about accounting records. Yes, there are a few commercial software products that map business processes, databases and data elements to multiple regulations; their goal is to help streamline the work involved in multiple regulatory compliance projects – eliminating redundancy where possibility using commonality.
On the domestic front, if we look at all the credit card fraud, data loss events and the great financial crisis – it seems to me that government regulation has not made America more competitive nor better managed.
I would say that the short answer is that less is more: less but simpler and more practical, and universally applied data protection regulation,