The wild, wild west of PCI
Sorry for not blogging all week but I have been at the 20th annual ETA (electronic transaction association) conference at the Mandalay Bay Hotel in Las Vegas. This was my first time attending the ETA show. I was very much looking forward to being at a non-security show of end users who are dealing with PCI everyday.
WOW! What an eye opener on many levels. First the payment processors and merchant service providers. Even at this late date, they don’t believe the PCI Council is serious about enforcing PCI compliance on Level 3 and Level 4 merchants. After speaking to these people, I am convinced it is going to take the council making a few examples to show them they are truly serious.
Secondly, these same people just don’t see the lower level merchants as any appreciable risk. In spite of the fact that 85% of incidents take place at that level, they just refuse to acknowledge the fact.
Next, they believe that as long as they have a program in place, they have done their part. If the merchants don’t want to participate, so be it. They charge the merchant for the program. They pocket the money. Most of them only pay their PCI partner on completed merchants. The less amount of merchants who actually go through it, the more money the processor puts in his pocket. Risk be damned.
But the processors are not the only ones to blame here. There is a class of vendor who knows absolutely nothing about PCI who are the culprits here. They are offering ASV scanning and help with filling out SAQs for a dollar a merchant.
I spoke to two or three of these vendors. They were software developers who develop reporting software. They knew next to nothing about PCI or information security. They took the PCI council SAQs put them in a report format, cobbled together a scan or made a flat price deal with an ASV and that is it.
I asked them if they had ASV engineers reviewing the scans. They looked at me like I was crazy. One of these companies, DDS says they do this:
- Merchant Services
- Customer Service
- Agent Bank Reporting
- ISO Reporting
- Fraud Monitoring
- Management Reporting
Yet there they were pushing PCI compliance for a dollar a merchant. Sounds like they are security experts right?
Instead of taking the opportunity to reach perhaps the most important members in the payment card food chain, snake oil salesmen are pushing solutions that give a whole new name to checkbox compliance and security.
Faced with this, is it any wonder that PCI has not done enough at the Level 4 merchant level?