Update : Yes, I know it’s the QSAs not ASVs that certify. Dumb mistake on my part.

Yesterday I posted an analysis of the Hannaford breach in which I made a contentious statement.

In other words, PCI is worthless.

Some of the commenters weren’t too pleased with this statement, an example from @Mike:

That said, to discount the program as “worthless” makes me question how informed the person saying it really is about this topic.

I’ve been digging into PCI since before it was PCI (Visa CISP) and talked with all sides, from struggling retailers, to credit card processors, to auditors, to the big guys themselves. You might not like my conclusions. You might think I’m an idiot. But I’m definitely a well informed idiot.

Now back to PCI.

I admit that PCI isn’t completely worthless. But let’s not call something that’s degraded into a very costly awareness nudge an effective industry standard for protecting cardholder information. Pretty much everyone involved, with whom I have discussed PCI, admits it’s not very effective- especially considering the cost. A few points and suggestions for fixing the system:

  1. PCI-DSS was established to transfer risk from the credit card companies to the retailers and processors. There is a lot the credit card companies could do to reduce risk on the processing side, but they have instead chosen to push it onto the retailers and processors.
  2. Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process
  3. No ASV has been dropped from PCI, even after certifying non-compliant companies. There is no accountability in the system.
  4. ASVs are allowed to offer services to the companies they certify, which is a built-in conflict of interest. They should be held to the same standard as financial auditors where the audit function and compliance assistance/services/consulting cannot come from the same auditor.
  5. Many auditors certify compensating controls that are clearly ineffective.
  6. Due to lack of accountability in the system, companies push ASVs for the lowest price possible to achieve “compliance”. This price pressure leads to cheap certification, and the approval of inadequate controls mentioned in point 5. PCI-DSS is moving to a checkbox that doesn’t necessarily reflect any level of security, and the credit card companies are okay with that since they can just later find the company in violation after a breach, yank certification, levy fines, and push all costs to the retailer.

We can fix PCI, but right now it’s very ineffective at stopping real breaches. The standard needs to adapt faster; there needs to be accountability and separation of duties at the auditor level; and the credit card companies need to adjust the processing system to reduce fraud- not just set an incomplete standard for retailers.

Maybe not worthless, but considering the cost we sure as heck should be getting more out of it. Some companies use PCI to improve their security, but many others do as little as possible to comply, and thus security isn’t increased in any meaningful way.


p style=”text-align:right;font-size:10px;”>Technorati Tags: