« Did Ben Roethlisberger’s team spread enough money around? | Main | Get your securitybloggers.net email and other SBN news »

April 16, 2010

The wild, wild west of PCI

Sorry for not blogging all week but I have been at the 20th annual ETA (electronic transaction association) conference at the Mandalay Bay Hotel in Las Vegas.  This was my first time attending the ETA show. I was very much looking forward to being at a non-security show of end users who are dealing with PCI everyday.

WOW! What an eye opener on many levels.  First the payment processors and merchant service providers. Even at this late date, they don’t believe the PCI Council is serious about enforcing PCI compliance on Level 3 and Level 4 merchants. After speaking to these people, I am convinced it is going to take the council making a few examples to show them they are truly serious.

Secondly, these same people just don’t see the lower level merchants as any appreciable risk. In spite of the fact that 85% of incidents take place at that level, they just refuse to acknowledge the fact.

Next, they believe that as long as they have a program in place, they have done their part. If the merchants don’t want to participate, so be it. They charge the merchant for the program. They pocket the money. Most of them only pay their PCI partner on completed merchants. The less amount of merchants who actually go through it, the more money the processor puts in his pocket. Risk be damned.

But the processors are not the only ones to blame here. There is a class of vendor who knows absolutely nothing about PCI who are the culprits here. They are offering ASV scanning and help with filling out SAQs for a dollar a merchant.

I spoke to two or three of these vendors. They were software developers who develop reporting software. They knew next to nothing about PCI or information security. They took the PCI council SAQs put them in a report format, cobbled together a scan or made a flat price deal with an ASV and that is it.

I asked them if they had ASV engineers reviewing the scans. They looked at me like I was crazy. One of these companies, DDS says they do this:

  • Merchant Services
  • Customer Service
  • Agent Bank Reporting
  • ISO Reporting
  • Fraud Monitoring
  • Management Reporting

Yet there they were pushing PCI compliance for a dollar a merchant. Sounds like they are security experts right?

Instead of taking the opportunity to reach perhaps the most important members in the payment card food chain, snake oil salesmen are pushing solutions that give a whole new name to checkbox compliance and security.

Faced with this, is it any wonder that PCI has not done enough at the Level 4 merchant level?

Posted at 08:48 AM in compliance, links and appearances, the security industry, tradeshows |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e20133ecba75dd970b

Listed below are links to weblogs that reference The wild, wild west of PCI:

Comments

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search


Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Blog powered by TypePad
Member since 10/2005

About