Society of Payment Security Professionals - Payment Security Blog

1. 43 Responses to “What PCI compliance really means”

2. By Jeremiah Grossman on Jan 22, 2009

   “To say that one company getting hacked proved the entire PCI program ineffective is faulty logic.”

   That’s fair. In your view, how many would it take? Or perhaps more generically, how do we measure the positive security impact of PCI-DSS?

3. By Michael Dahn on Jan 22, 2009

   Jeremiah, I understand your point of view, but you are not asking the correct question. What requirement in the standard itself do you think is bad for security and thus results in data compromises?

   I think the question you should be asking is, why are people chasing compliance at the cost of proper risk management? Where you and I differ is that to you, this question proves that compliance has failed us, but to me this question proves that compliance should is good as long as you still care about proper risk management.

   At the end of the day PCI DSS all boils down to preventing the paper and electronic theft of payment card data - at all times.

   We measure the impact of PCI DSS the same way we measure the positive impact of security. Compliance is the framework around which we find barriers and edges. Within the framework we need to continue to practice strong risk management.

   I promise you the data compromises would be much worse if we didn’t have PCI DSS. How do I measure this? Well, how do you measure the positive security impact of firewalls, secure configuration management, or any other security control.

   The problem with people looking at PCI DSS is they see it very black and white, as if you either have it or you don’t. Well, I could say the same thing about having or not having a firewall. The metrics are not in the numbers that have validated compliance but in the way they have secure the data.

4. By Jeremiah Grossman on Jan 22, 2009

   Respectfully, you answered my question with another question.

   “I promise you the data compromises would be much worse if we didn’t have PCI DSS. How do I measure this? Well, how do you measure the positive security impact of firewalls, secure configuration management, or any other security control.”

   I know how I would measure results, but was more interested in your thoughts on the analysis.

   To answer your question(s), I don’t think any requirement cited is particularly bad, which is not to say that they are good (in any or all cases) either. Personally I’d prefer a liability based model for merchants and let compliance be optional. Merchants should be able to manage their own risk profile. So if PCI-DSS truly reduces risk, I believe it would be readily apparent.

5. By David Navetta, Esq. on Jan 22, 2009

   A couple points.
   (1) Faulty Logic. You claim that it is faulty logic to conclude after one company getting hacked that the entire PCI program ineffective. On the flip side, it is also faulty logic to conclude that the mere existence of a standard means better security. It really depends on what the standard says, its scope/rigor and how it is applied. Even for seatbelts, some studies have suggested that the existence of seatbelts may increase the likelihood of reckless driving. See: http://www.time.com/time/nation/article/0,8599,1564465,00.html?cnn=yes It is possible to implement a standard simply to give the impression that something is being done…
   (2) It’s the Risk, Stupid (note: playing off of It’s the Economy Stupid). As you site in your post many individuals considering PCI compliance are only interested in doing “the minimum” to allow them to validate compliance for the year. The problem is that there is no requirement under PCI that the level of risk posed by a given merchant or processor’s operation dictate compliance. How can the requirements of PCI be the same for a merchant that does 1000 cards a month and a payment processor that does 100 million cards per month? It only can if the depth/rigor of compliance is higher for the 100 million processor. You are right, there is a difference between having a firewall (check box!) and having a properly configured firewall and having a program in place to ensure/check that firewalls are properly configured. Yet, some view the PCI Standard as not making a distinction between these situations – all are “compliant.” And, I contend that that is a problem with the Standard – that concept should be explicitly stated in and made part of PCI. Not that GLB itself is a great standard, but at least it captures the idea of risk:
   (a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
   (3) The Incentives Are All Wrong. Let me partially take back some of what I said about not taking risk into account. Merchants and service providers are taking risk into account, the risk that they will lose their ability to process credit cards if they are not PCI compliant. That is the motivating factor in the PCI game. With no other real carrot or sticks implemented within the system. Thus the name of the game is getting an ROC as cheaply as possible.
   As long as you can find a QSA to validate, or one of your own IT employees for SAQs, you can continue doing business. And of course, since there are hundreds of QSAs, meaning tons of competition, companies can leverage that competition to get an easy pass. QSAs that want to do the right thing get marginalized. In fact, since the QSAs get critiqued by their customers, those that play ball end up rising to the top of the ladder (another flaw in the system). But isnt’ the QSA assuming the risk if they rubber stamp, you ask? Go read your contract with the QSA and see how much risk they are actually taking (look at the limitation of liability clause, disclaimer of consequential damages clause and indemnification clauses). Meanwhile the ROC that is submitted is accepted without question. We won’t even get into the incentives around an in-house security or IT professional (with perhaps no security training) who is completing a merchant or service provider’s SAQ.
   So what could change the incentives/motivating factors: carrots and sticks. There is no enforcement unless you are not validated. Nobody checks if you REALLY ARE PCI compliant or whether you ACTUALLY have reduced any risk. There is no penalty if you are validated unless you suffer a security breach (discussed more below).
   What about carrots? The benefit of validating PCI compliance is the ability to accept payment cards. That benefit accrues to any company that has validated, whether or not they actually have reduced risk to a reasonable level. What about “Safe Harbor”? I don’t think it exists. Many companies I have spoken to are under the impression that if they are PCI compliant they will be immune from fines/penalties and liability. I challenge anybody to identify a LEGAL RIGHT to immunity or a LEGAL OBLIGATION on anybody to provide a Safe Harbor. In fact, Safe Harbor is no longer even identified on Visa’s website: http://usa.visa.com/merchants/risk_management/cisp_overview.html You have to use the Internet Way Back machine to find information on what they used to call “safe harbor”: http://web.archive.org/web/20070911065117/http://usa.visa.com/merchants/risk_management/cisp_overview.html#anchor_9
   Note the even under the old description of safe harbor, it only excused PCI-complaint merchants from fines. It did not prevent an Issuing bank from suing a merchant for the cost to replace cards. So clearly, for merchants that engage in rigorous PCI-compliance there is no carrot that comes their way if they happen to suffer a breach.
   Frankly, the lack of proper incentives and motivation around PCI compliance make me wonder about my last sentence in (1) above.
   (4) The Ultimate Stick – Getting Your Pants Sued Off. Yes, high profile breaches and lawsuits can deter bad behavior in the PCI realm. However, there are a couple issues here as well. As set forth below it appears that some companies believe that if they validate PCI compliance they are in a Safe Harbor that protects them. Therefore they (wrongly) may not fear lawsuits. Secondly, for those that use QSAs, there is a belief that if they are validated PCI compliant and they really aren’t, that it will be on the QSA. Again read your contract with your QSA to see how much liability they are actually taking. Perhaps more high profile incidents like Hannaford and Heartland will act as a deterrent, but I question how much it is now. This is especially true because lawyers are often not involved in the PCI compliance process and those that are do not have the experience to gauge actual legal risk (unless they have law degrees and have practiced – which is a whole other post).

   Well I guess that was more than a couple. Thoughts?

6. By Michael Dahn on Jan 22, 2009

   I see your idealism with the liability based model, but the problem is that this has failed us as a society in so many ways. Yes, it works in theory but the liability-hands-off approach failed the banking system and would fail many other industries if left unregulated. It sounds like you are pushing for less regulation (across the board) and letting market forces dictate the rise and fall of merchants. This sounds good but what happens when all merchants fail at once? If this happened, the cost would be saddled on the card issuers. What happens when one of them fails? Now people don’t have credit cards. Now people find it harder to buy goods and have less credit.

   I agree that regulation should not be overly burdensome, but do you really want a completely free market society, without any regulations whatsoever?

7. By Bill on Jan 22, 2009

   Hi Michael,

   You missed the biggest reason for PCI’s existence: PCI is a risk shifting tool for the card issuers that shifts risk to the payment processors and the merchants. It’s not about security at all. That some (most?/all?) of the elements of the spec if followed in the spirit of them can result in better security is irrelevant. The purpose is for Visa and the gang to show they did their bit, it’s the processor or merchant who dropped the ball. As such it’s a hurdle, not a preventative measure. Be secure because you should, be compliant because you must.

8. By Jeremiah Grossman on Jan 22, 2009

   “Yes, it works in theory but the liability-hands-off approach failed the banking system and would fail many other industries if left unregulated.”

   In the case of the financial industry, I’m of the opinion that regulation failed us, not the lack thereof. More bureaucracy is not the answer, but I think this is an entirely separate issue. I’d submit that both regulation and non-regulation has failed society at different points in time.

   So yes, I would push for less regulation and more liability across the board. Failure to properly perform risk management risks drastically impacting your business. I believe catastrophic multi-party system compromises are more likely to occur in heavily regulated industries than those that are not.

   Perhaps when, not if, that eventually happens… many will still cling to the illusion that compliance and industry regulation is the answer.

9. By Gary Hinson on Jan 22, 2009

   You said “compliance, even the continous state of compliance, does not equal security if not done right” … I would go further and assert that compliance and security are largely independent with only a few limited touchpoints. Whether they are ‘done right’ or not doesn’t matter. There is a basic issue with compliance because the standard or requirement against which compliance may be assessed has to be written quite formally, and yet information security is a larger, largely unbounded and complex problem space. This situation leads to three obvious consequences:
   1) People play games, interpreting certain requirements in the most narrow, literal sense when it is convenient for them to do so, realizing that the compliance auditors cannot really complain (oh and compliance auditors play games too!);
   2) Things which cannot be specified in a formalized and assessable/certifiable manner tend not to be specified at all in compliance standards or laws, no matter how important they really are. Security awareness is a classic example of this; and
   3) Things which are not specified and mandated and assessed carry less weight with management and are obviously less likely to be done for compliance reasons. Whether they get done at all depends on other pressures such as recommendations, codes of practice, generally accepted standards of due care, professional integrity of management and its advisors, competence of those involved, available funding/other priorities, perceived chances of not being caught out, presumed cost-benefit case, personal interests/prejudices, blah blah blah.

   G.

10. By Ashish on Jan 23, 2009

    Use of security is like a brake to a vehicle which help the driver to move with some speed. PCI DSS compliant is a step towards giving a comfort of security for using the system for transaction.

11. By Alex on Jan 23, 2009

    I have no idea what sort of industrial solvents you’re huffing, Michael, but this is all sorts of messed up. So much so that I love it. It’s like Zen.

    Jeremiah, Gary, guys - Michael’s right. PCI doesn’t make you “secure”, it doesn’t serve any particular purpose, people game it and resent it, but that doesn’t matter. You guys are missing the purpose. The purpose of PCI is to “just do it and just be it.”

    PCI is a state of mind, it is the arrival of cosmic state and validation of that state. In fact, I think that when the singularity comes and AI finally achieves consciousness - PCI will be the first machine religion. And Michael will be held up by our new cyborg masters as their analog to L. Ron Hubbard. And most probably, the only reason the cyborg overlords will keep humans around is because Michael is flesh and bone, and anything that can obtain machine-enlightenment in the same manner as the great PCI will be the source of humanity’s salvation.

12. By Walt Conway on Jan 23, 2009

    Reading this discussion has me asking a slightly different question: are we expecting too much from PCI? That is, PCI is not a security standard (as has been pointed out) but it is a data protection standard. I can’t agree with the notion that PCI represents a shift of liability: if you don’t keep the data (which doesn’t belong to you, the merchant, anyway) you generally won’t have too great a PCI compliance burden.

    PCI is about protecting cardholder data. If you want to play the game and keep the data (generally for “marketing” purposes or some other generally false reason) then you gotta follow the PCI rules.

    As for effectiveness, we are told that no truly/actually compliant (at time of breach) merchant has been compromised. Maybe Heartland will be different; maybe not. But PCI seems to be working. It doesn’t keep you secure, but when (vs. if) you get hacked, at least the cupboard is bare…hopefully…

13. By Ed Bellis on Jan 23, 2009

    It’s important to note that there are real reasons other than marketing to store the data. Charge backs are one of these reasons. The card associations require merchants to charge back the specific card used during the transaction, there is no way to guarantee this without storing the actual card number. Charge backs can occur at different times for different industries. Within the travel space, a consumer can book a flight up to a year in advance. A charge back can occur within this time as well as a limited time thereafter.

    We really need to address the root cause as an industry. We continuously debate about the effectiveness of PCI versus general security practices or risk management. The real reason this is still an issue, the card holder data remains valuable. It is essentially a shared secret amongst many merchants, service providers, banks, etc. A shared secret this large will never be very effective. We need to remove the value from the data. Until then we are relying on the weakest link of this shared secret.

14. By Michael Dahn on Jan 23, 2009

    @Gary, everything you said is exactly in support of my argument that it’s all about the implementation, configuration, and execution of security and risk management. I agree that there are problems with the process, but we need to work/see through those to the goal - protecting the payment card data.

15. By Michael Dahn on Jan 23, 2009

    @Walt, you are entirely dead on. I like your statement of “PCI is not a security standard … but it is a data protection standard”.

16. By Michael Dahn on Jan 23, 2009

    @Ed, actually certain card brands changed their OpRegs years ago to no longer necessitate the need for storing payment card data for chargebacks. This may or may not have trickled down thorough the acquiring/issuing banks, but it was addressed at the card brands long ago.

17. By Jim on Jan 23, 2009

    Mike is right as usual. In my experience, security is a mindset and a journey, not a destination or a product. PCI does get “gamed” too much both from organizations looking to spend the least amount of capital to be able to cross PCI off their list, and by vendors pushing overpriced “solutions”.

    I think PCI is useful and can be very effective when followed with diligence.

18. By Michael Dahn on Jan 24, 2009

    @Bill, your comment about “risk shifting” is flat out wrong. Ask anyone who really understands the payments industry. I’m too tired get into it here. Call me and I’ll explain.

19. By Ed Bellis on Jan 24, 2009

    @Mike I agree with you that “risk shifting” is an invalid argument. That has never been the case.

    Regarding storing data, there are many merchant providers / acquirers that still require merchants to chargeback the same card used (example here: http://www.e-onlinedata.com/merchantaccounts/fraud.php ).

    That said, my real point is there are many reasons other than marketing to store card data. This includes recurring charges, customer preferences, etc. I would fathom to guess most merchants aren’t using their card data for marketing purposes.

    I’m not disagreeing with your post or what you are saying, I just think we are all having the wrong argument. We really need to take the value away from this data to truly prevent these sort of stories and incidents from continuing.

20. By Michael Dahn on Jan 24, 2009

    @Ed, that’s a good question, but which do you think will happen faster: changing the way credit cards are designed and used or replacing the PAN data with substitutions (a token, secure hash, masking, truncating)?

    Visa Europe started mandating the use of iCVV last year, which takes Chip-and-PIN to another level of removing the value from the data.

    I honestly don’t know which will happen fist, but both approaches have their benefits.

21. By Ben on Jan 26, 2009

    @All

    My 2 pence….(sorry I’m British I only do pounds, pints, miles and pence)

    It seems to me that the PCI-DSS serves multiple masters and as such inhabits a number of spaces within the IT security firmament. As I watch the Heartland debate continue, I’ve now become convinced that those spaces are only partially related to information security. To my mind it is best viewed in the following order.

    Initially, at the executive level, the PCI-DSS is like a corporate Hazmat License. The material is credit card numbers, but compliance is a tick-in-the-box to enable commerce. That is the corporate objective. That is the money shot.

    Secondly, it greatly increases the chances of finding the actual perps. Most of the tools, processes and architectures seem add the greatest real value in the ex post facto forensic timeline once the fraud detection AIs have spotted suspicious activity in the world of the numbers. (My unverified assumption is that PCI sponsors do much of the actual initial detection.) It adds the bonus of giving a bigger source of information to use to point the finger (or to transfer the risk if you like) although it doesn’t necessitate that process. It is essentially a good sand-trap to track the tell tale signs of information carnivores.

    Thirdly, it is a thumbnail sketch of best security practice - to ensure your credit card number vault is secure enough to deter the less determined. It is not the whole of the moon. It lacks much of value in the execution of effective information security (robust risk management processes, system event driven incident response, development life cycles, change control, aggressive high human input pen test (unless you ask for it as part of your scan of course), etc). It’s not the optimal, but do it honestly and you’ll have more, that IMHO can’t be denied.

    Taking the value of the data, may well just shift the focus of the underworld. The rust never sleeps.

22. By Rip on Feb 2, 2009

    Interesting stuff - new to the whole PCI scene and came across this. Other than ethics, I’ve really found no reason to become compliant, other than the inerited improved security??

23. By Jay on Feb 2, 2009

    HAHAHAHA You guys are talking about PCI and Security.. Let me explain to you about PCI and Security..

    This is Visa/Master Card Transaction levels

    Level 1: 6+ Million transactions a year
    Level 2: 1 million and 6 million a year
    Level 3: 20k and 1 million.
    Level 4: levels up to 20k.

    This is the resulting compliance requirements:

    Level 1: Annual onsite review by an internal auditor or a Qualified Security Assessor. Also a quarterly network security scan is required with an approved scanning vendor.

    Level 2, 3 and 4: Quarterly network scan and yearly self assessment questionnaire.

    Thats right a SELF ASSESSMENT, I will repeat SELF ASSESSMENT questionaire on the current controls to protect client data.

    PCI compliance is not a Security framework its a liability shift from Visa/Mastercard to the merchants. Even still Visa/MasterCard will rarely and I mean rarely publish companies who have been found non compliant with PCI or who has been breached. Some states have made it law to inform all persons who may have been explosed to a breach however I dont think its law in all states.

    So.. is the PCI program ineffective.. HELL YES, for all those companies that do not require an external auditor to attest to the current complaince.

    Only one of the Big 4 accounting firms provide certified PCI compliance reports because of the risk involved to the auditors. A point-in-time compliance audit does not provide you with sufficent comfort to ensure those controls have been inplace over a period of time.

    Some serious over haul to the standard is required to make it effective.

24. By Jay on Feb 2, 2009

    RIP, I would still be PCI compliant if you are processing CC’s. If you are compliant regardless of the effectiveness of the controls and are hacked there maybe less ramfications, like not loosing the ability to process credit cards or serious fines. I think the last report I read estimated a cost of $100 per credit card number breached. This is a combination of fines from Visa/Master Card, legal fees and law suits.

25. By Michael Dahn on Feb 2, 2009

    @Jay, I won’t moderate and remove your comment because I’d like to allow everyone their own voice, but I want you (and others) to know you are entirely wrong. The numbers you quote are wrong and based on incomplete information.

    Since all you have done is quote the Visa levels and validation procedures from their website http://www.visa.com/cisp/ I can tell you are not familiar with the nuances of compliance and validation.

    Since you stated that PCI is a “liability shift” I will also assume you don’t understand the payments industry, who the players are, how risk and liability are shared, or what role the payment brands play in all this.

    Since you reference the Big 4 and “auditor risk” I assume you have little to no understanding of what it means to own a QSA firm and how the legal contracts are written.

    I do not appreciate you speaking on this topic when you seem to know very little about it. I’ll extend your the opportunity to call me direct (my number is always on the main blog page and has been for years.) If you don’t want to call then try taking our CPISM/A certification classes so you can at least learn more about the industry and its players.

26. By Michael Dahn on Feb 2, 2009

    @Rip, compliance is a state of being. That state is to protect the electronic and paper theft of payment-card data. If you’re asking why you should do this then I must worry for your customers.

    Sorry to be rough. I can help you more if you better phrase your question. In fact, try posting it in the forum: http://forum.paymentsecuritypros.com/

27. By Jay on Feb 3, 2009

    @Michael, No I dont own a QSA firm but there is a reason why Big 4 firms do not certify for PCI compliance except for Deliotte and “I believe” the report is legally issued by one of their UK offices. There is to big of a risk… regardless of the legal contracts in place.

    What part of a self assessment questionaire provides you comfort that an organization has sufficent controls in place to be complaint with PCI DSS 1.2 requirements?

    I have seen to many organizations with weak security controls who think or have no clue about the true security posture of their IT infrastructure. And you are asking them to self assess?

    And a point in time assessment is extremely weak, weather you accept that or not is fine. Sure I am compliant today, but I only fixed everything the day before the assesment.

    My comment of it being a liability shift may have been off the cuff but I understand the consequences to both the merchants and VISA/Mastercard if people no longer have faith in the security of thier credit card information when they make purchases. They would stop making them, affecting the profitability for Visa/Mastercard and the merchant.

    The ability of organizations to truely meet compliance requirements is weak and leaves customers information at risk.

    Dont act like you are offended that I posted my opinion because you disagree with it. Dispute my comments with a logical response to show me why I am wrong. I have no issue in accepting I am wrong if you can explain why I am wrong.

    I look forward to your response.

28. By Rip on Feb 3, 2009

    @Michael - I’m worried about my customers, too, that’s why I’m trying to learn about the PCI stuff. It’s new to me. I only look for the “reason’s why” to quantify the need to management, try to make them understand. I can’t spend a dollar on anything otherwise. I’m definitely visiting this site and forums more! Thanks for everyone’s replies.

29. By jeremy on Feb 5, 2009

    @jay - I believe Deloitte QSAs are only in Canada and NZ. Also, PricewaterhouseCoopers is on the QSA list but only for Canada. So I don’t think any of the Big 4 auditing PCI in the US. At least, according to the latest QSA sheet (https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf)

30. By Michael Dahn on Feb 5, 2009

    @Rip, I commend your interest in learning more about this sometimes blindingly complex industry. Certainly one of the best ways to do so is to take a boot camp and get up to speed on all the moving parts.

    If you’re curious about why to get compliant the answer is different for everyone:
    1) Industry mandates and required for accepting and processing payment cards
    2) Brand and reputation
    3) Protecting your customers data
    4) Some service providers are required in order to continue doing business with their clients
    … and the list goes on and on.

    There are also direct fines and penalties for some merchants in the USA and global deadlines that have already been set for other merchants.

    I’m happy to talk with you any time. Call and I can walk you thorough it with respect to your perspective.

31. By Michael Dahn on Feb 5, 2009

    @Jay, you’re working under faulty logic that would take pages and pages to explain (thankfully we are coming out with an entire book on the topic soon.)

    Call me and we can talk liability. This is complex and does not work the way you think it does. QED.

    The one thing I will agree with you on is that companies, internal to themselves, need to go beyond the point in time validation and maintain a continuous state of compliance. This I have stated over and over again. The driver for this needs to come from internal to the company and not from an outside source.

32. By jeremy on Feb 5, 2009

    I generally agree here.
    A mindset of keeping things “secure” has to realize the “big picture” while still taking into account the “vested” interests of outside entities. Having an attitude of “We need to be secure so we can protect our clients AND ourselves” is a much better attitude than one that says “We need to do the minimum amount possible to protect ourselves because PCI says so.” - it’s astounding to me that, after two years, I still hear people [flippantly] throwing around the phrase “well this is what PCI says…” without ultimately understanding the intent.

    Companies also need to understand that security is a top-down process. Although, it’s better if *EVERYONE* were naturally on the same page (that’s a bit idealistic though).
    Ultimately, the results of a self-assessment may not necessarily benefit a company, especially if those doing the self-assessment are not competent enough to realize the risks. But its really the way the company (and specifically management) sees the purpose and importance of the self-assessment - if they did, they would invest in it more and take the time to learn what the risks are, train their people, and hire outside help to show them the faults. IMHO, herein lies the problem: most companies/mgmt see “PCI” as a pest of sorts, rather than a motivation to go above and beyond in terms of security. At the point they start thinking “omg, I have to spend all this money on security equipments!” they lose sight of the fact that a) PCI isn’t an overnight process, and b) yes it may cost *something* up front, but in the long term would you rather lose customers and even your business?

    Okay, I don’t know if any of that made sense. But I felt I needed to say *something*

33. By Jay on Feb 6, 2009

    @Jeremy

    I didn’t realize PWC was on the list. Thanks for the information.

    @Michael

    Thank you for the response.

    The issue with the driver being internal is that organizations are all about making money and Executives have an extremly hard time translating organizational risk to into a dollar value.

    How much do I spend on DRP? Do I drop 100,000K on a hot site that I may never use?

    What is it going to cost me to be PCI compliant versus not being?

    Because companies think like this, it is the reason you have PCI/SOX/Bill 198 compliance certifications, other wise they would do nothing.

    So I guess a better way of looking at this is that external drivers are needed to educate businesses to understand and drive thier own process verus forcing them to comply with weak standards. I think that is still wishful thinking.

    Cheers

34. By Michael Dahn on Feb 13, 2009

    @Jay, I don’t mean this as a sales pitch, but having a solid understanding of scope and implementation requirements is key and may result in significant cost savings.

    This is why I recommend the CPISM and CPISA certifications, because the information you learn in the bootcamps are invaluable.

35. By Nick Cook on Feb 25, 2009

    In regards to PCI compliance and how effective it is, one of the thousands of companies that helps merchant “validate” PCI DSS compliance is Security Metrics. (www.securitymetrics.com) They claim that not a single one of their customers has ever been compromised….that sounds like a good way to measure to me.?!

36. By Michael Dahn on Feb 25, 2009

    Nick, I think we are seeing a movement from security audit companies doing point in time assessments to a more continual process of validation. This is similar to the difference between a Type 1 and Type 2 SAS-70.

37. By Nirav Shah on Jul 30, 2009

    Most of our business areas store credit card number for reoccurring charges. Is there a service merchant bank can offer where we are no longer required to store the full credit card number?

38. By Nick Cook on Jul 30, 2009

    Nirav Shah:
    I am not sure if I understand your question. Could you clarify or elaborate more?
    Thanks

39. By Nirav Shah on Aug 11, 2009

    Never mind about the last question. However, I got one more. Are there specific controls for mail room, who distribute sealed mail to the destination that may contain credit card data? I do understand physical security is covered under requirement 9. However, R9 is more focused on location were system with credit card data is located. Here, the mail room rep do not open the envelope, they are the first in the line to get this sealed envelop containing credit card data.

1. 5 Trackback(s)

2. Jan 22, 2009: InfoSecCompliance.com - Technology, Privacy and Security Law & Risk Management » Blog Archive » Is Something Wrong With PCI?
3. Jan 23, 2009: PCI Compliant Control Breakdown | Payment Systems Blog
4. Jan 23, 2009: Beautiful Writing « Ed Bellis - ClearText
5. Jan 24, 2009: Network Security Blog » Saturday morning reading 01/24/09
6. Mar 16, 2009: Untangling ‘out of scope’ Vulnerabilities & Compliance Threats « Trey Ford - Security Spin Control

Sorry, comments for this entry are closed at this time.