PCI DSS Keeps Its Perfect Record Intact
I was reading Brian Krebs follow up article on the Global Payments breach this morning that something less than 1.5 million credit card records may have been stolen in this mess. How much less is still open. Could be 50k, could be 1.499m, I guess we will have to wait for more info. (BTW, kudos to Brian for once again showing why he is just so over and above everyone who writes about security- bloggers, reporters, writers, etc.).
I then read my friend Bill Brenner’s piece that Global “has some ‘splaining to do”. Bill is right, Global Payments is going to have give us a lot more details about how this happened and they should step up and take the blame here. The truth will set them free, but the fines I am sure will be heavy.
In the meantime, the security industry will analyze, over-analyze, read tea leaves and goat innards trying to piece together how this could have happened. With Albert Gonzalez behind bars, our own Lee Harvey Oswald couldn’t have done this one, we should be on the look out for the next Sirhan Sirhan.
One party though who will take no blame on this is the PCI Council. In fact they have managed to keep their perfect record intact through this one. As Brian noted and Bill said as well, Visa has promptly removed them from their list of compliant service providers. They are not PCI compliant. That is why they were breached. Of course if they were compliant, this breach would have never have happened, right? Wrong.
No PCI compliant provider has ever been breached. The whole thing is crazy. If you are breached you are not compliant by definition. Your compliant status was only at the moment you were certified, the moment after, if anything happened it is because you were no longer compliant. So what is the use of being on VISA’s compliant service provider list? It just means you haven’t been breached yet or recently.
So Global was not PCI compliant and will now have to be re-certified. The moment after they are certified if anything happens, they will not be PCI compliant again. This is a game where all of the rules are stacked for the Council. They can’t lose.
The losers are consumers and merchants who play this game. Merchants are charged lots of money to become PCI compliant. They are told that everyone has to be compliant, most especially the processors. Consumers are told that VISA, MasterCard and the rest of the industry has instituted the PCI DSS to protect them. That no PCI compliant merchant or provider has ever been breached.
The reality is that the only ones getting any protection are the card brands and their bank cronies who are offloading the liability to merchants and processors instead of themselves and who dip their beak every time one of us pays with plastic. The idea behind the bank and credit card company fees was that they were taking the risk when people promised to pay later while using plastic now. But much of that risk has now been offloaded to merchants and processors, debit cards take the money out of your account almost instantly. The card brands have little to no risk and still charge both the consumer and the merchants high fees, dipping their beak on both sides of every transaction. That is not being a bird, it is being a pig.
So while their perfect record remains intact, the PCI Council remains the undefeated heavyweight champion of meaninglessness.