The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's News.com:

*While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. *

*"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. *

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,  the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.

It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.

To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.

It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me.  Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.

Period.