5 Myths of PCI Compliance
March 3rd, 2007 by datasecurity Posted in Card Brands, Compliance, Conferences, Credit Card Fraud, Merchant, PCI DSS, QSA
I’ve been having this conversation with several of the Security Bloggers Network people and have come to a few conclusions. I would like to address some common misconceptions and address the PCI DSS compliance myths.
Myth 1: PCI compliance has no teeth
Read the “multiples” of PCI non-compliance. (It required it’s own post.)
Myth 2: There is no real enforcement of PCI
One might have reason to state this. If you know the history of PCI then you will remember that merchants were required to comply by September 30, 2004. Wow, 2.5 years later and not everyone is compliant? You may recall this is the way all compliance programs work.
GLBA (Financial Modernization Act of 1999) was made a requirement, but took several years to bring the majority of financial institutions into compliance. To date many merchants are working on complying with PCI DSS and most have PCI PIN compliant devices/systems.
In 2007, and starting the PCI month of awareness, Visa’s Compliance Acceleration Program (CAP) will proactively fine merchants that do not comply. How does $100,000 per month sound?
Not enough carrot? Visa USA has eluded to the fact that compliant merchants may receive lower interchange rates. THAT will have a noticeable impact on the bottom line of all large merchants.
Myth 3: Too much ambiguity to PCI compliance
This I will admit is correct. But there are ways to correct this.
- The PCI SSC trains all QSAs on the intent and meaning of each requirement.
- PCI training is available for merchants and service providers
- This blog and its experts answer *every* question that is sent to our email and voice mail (on the top of every page)
- The card associations have web sites and email assresses to ask questions
- There are community forums for discussing PCI with your peers
I just don’t know what other tools one needs to become the most well versed person on PCI.
Myth 4: Credit cards theft is identity theft
One of my great frustrations is when credit card issuers market their products as having “identity theft” protection. If someone steals your social security number they can open multiple lines of credit in your name and it is a very painful process to reverse. If someone steals your credit card number you are not liable for any of the fraudulent transactions, and all it takes to fix is have your bank send you a new card.
The information is not the same and so their theft should be treated differently. Chronicles of Dissent has more on this conversation.
Myth 5: PCI auditors are not independent
I was surprised to hear this argument printed in eWeek. (I wish Evan Schuman would call us next time he has a PCI related article. Evan contacted us and we will engage such media sources more directly with feedback in the future.)
The fact that the auditors in questions are paid by—and are given instructions by—the retailers being audited is the most textbook conflict-of-interest I’ve seen in quite some time.
The fact of the matter is that a PCI auditor must be both an advocate for their customer and an enforcer (and interpreter) of the PCI requirements. If you say that auditors all lack independence because they are paid by their customers then where do you stop? Is SOX auditing all crap because the government doesn’t perform it? When you pay an inspector to examine your house for structural risks, do they lack independence because they want to make you happy with a clean report?
If you want precedent for why a QSA should perform high quality work just look to the CSSI compromise. This was a service provider that was listed as compliant and then hacked - turning into the biggest compromise of the time. Did anyone notice that one of the QSAs was removed from the closed list of assessors? Coincidence?
The argument for lack of independence holds no water. What I think Evan meant to say is that some companies provide both the security solutions and the compliance audit. This is really what toes the line of independence. I mean, how can one company both install the firewall or IDS and then audit the products they installed?
(Thanks to Alex for highlighting some of the concerns felt by the community. Also, read Martin’s take on the issue.)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
2 Responses to “5 Myths of PCI Compliance”
By Toast on Mar 8, 2007
Hello,
Good article. Wonder if you can you tell me: What is the FORMAL definition of a “breach”?
For example, if a member of staff at a merchant’s call-centre jots down random card-holder details, accumulating tens or hundreds over the course of a year or so, does that constitute an actual breach of the PCI DSS itself? I ask because a potential client of mine points out that the Standard stresses data compromise from computer systems — whereas this example illustrates systematic abuse of a business procedure (telephone conversation with customers).
I HAVE seen the term COMPROMISE defined in the PCI DSS Glossary. But that just illustrates my point:
“Compromise: Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected.”
Such a narrow and fairly pedantic definition is perhaps understandable, given that this is a DATA security standard. But, for instance, it complicates the decision of whether my 20,000-transactions/year client immediately becomes a Level 1 merchant by dint of that previous “breach” or “abuse”.
So once again, what is the PCI SSC’s formal definition of a “breach”?
Thanks and regards,
Toast.