GUEST BLOG: Thoughts From the PCI Trenches

[Ed: I am very pleased to present a guest blog for a good friend of mine. He and I have spent more time in the PCI trenches than we would either care to admit;]

“I read your blog somewhat religiously and I find myself thinking about my feelings towards PCI both from an assessor and client perspective and moreover as a security professional.

With breaches now on the rise, it is time to reflect a bit on how did we get here? Why are things this way? Is PCI working?

We got here because of money. The all mighty dollar (pick your currency). Greed, my friends, has fueled this issue, and for years and will continue to do so.

Greed by the card brands has pushed them to promote acceptance so wide that the only way anyone even thinks about non-ash payments is with a card. This push for acceptance came in the early 1990’s and continues today. At that time, very little was thought of PCI other than a little fine print that was quietly overlooked until breaches began to result from this push.

At that point, the card brands felt that the public – being sufficiently hooked on the drug of convenience – was finally ready for enforcement of compliance with standards. Shortly thereafter the PCI SSC was born, and the real greed and corruption was to begin.

Below are a few points that have been smoldering quietly in the back of my head that are now demanding to be shared.

  1. Unless it’s my core business, it will never be my core competency. You cannot make merchants into military. They won’t go, they never will, stop trying to make them. Realize this now and move on.
  2. The card brands have created the problem by pushing their acceptance channels as hard as they have, and then attempted to throw security on top of the pile long after the fact. Security first, acceptance of cards later.
  3. The card brands added insult to injury by creating the PCI SSC. This is a self serving group that dictates a set of documents and charging fees, then completely and utterly fails to enforce its own assessor quality assurance program.
  4. The SSC has, through their actions and inaction, contributed to the creation of a scandalously corrupt cottage industry of PCI QSACs. These companies are selling assessor services for a flat fee and assigning work at a rate of 35 to 45 PCI assessments a year per QSA. This volume is horrific and does not serve the client, or the card brands. The delivery of an appropriate assessment is simply not possible. You can have two of the three, “cheep”, “fast” and “good” but only two. Cheep and fast does not make for good, yet the SSC has allowed the QSAC’s to promote and aggressively sell just that.
  5. The SSC has allowed the same QSAC and QSA to assess the same environments year after year creating complacency and further corruption. If you care about compliance, rotate assessors. Assessors make bad calls, and in order to maintain the client, must live with them year after year. Fresh eyes are critical to maintaining integrity.
  6. The card brands have failed to adopt more secure methods of moving funds. The clear text account number adhered to the back of a piece of plastic via technology rivals that of the 8 Track player in my mother’s 1976 Mercury Cougar. This is criminal.

I could go on and on, but the key points remains the same, the card brands are the cause of the problem, and have made it worse by setting up an unrealistic security program rather than focus on their own flawed methods.

The reality is this; PCI is a way to shift the burden of securing the otherwise insecure from the card brands to the merchants, banks and service providers. God forbid the card brands pick up the tab??

As long as I am ranting, how is it that Moore’s Law drives down the cost of all technology except when it comes to transaction processing?

Will my rant change anything? No, but I do feel a bit better sharing with you all.


Frustrated Assessor”

2 thoughts on “GUEST BLOG: Thoughts From the PCI Trenches

  1. Good post,

    I always find it interesting when I am onsite at a client and find multiple deficiencies and a week later another QSA comes along and validates everything as compliant.

    When will QSA’s, as a general statement, take their responsibility seriously and perform assessments with a sense of pride and due diligence? I for one will never sign an AoC where I can’t trust the environment to be fully compliant, but many QSA’s doesn’t seem to care about neither security or compliance.

    • Thank you JH, and the issue here is one of integrity. The SSC’s training for QSAs starts in the wrong place, covers the wrong subjects, and ends before security begins.

      Compliance is seen as a project, not a process, and no amount of training could make a QSA a security consultant, and certainly not the training that’s provided.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.