January is a popular month for waxing philosophical about the past year and full of prognostication about the coming year. One popular topic this year has been that of the impact of regulations on security and, ultimately, the safety of eCommerce. As you might imagine, opinions span the full spectrum of thinking, but the general consensus seems to be that yes, things are better.
It would be irrational to argue that security technologies have not improved, just as it would be sheer folly to say that regulations like PCI have had no impact on eCommerce safety. That being said, it also isn't clear that the gains have been as significant as some have claimed, and moreover, attacks have grown exponentially in their complexity and effectiveness.
To this end, I will be delving into these opposing conclusions below. For the purposes of this post, I will talk just about Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI). These two regulations are interesting for a couple reasons, not the least of which is how they contrast.