Consumer Reality Check - Lifting the Veil on PCI DSS
I read an article entitled “Global Payments has some explaining to do” (Source: CSO) today and there were some interesting points made by Bill Brenner, managing editor of CSO. He asked specifically, “How on Earth were they designated PCI compliant in the first place? What were the specific actions they took to improve security and how did they allow those safeguards to fail? How rigorous was the auditing process? Did the QSAs put the processor through the wringer, or did they just casually saunter in, check off some boxes and move on to the next customer?”
These are great questions from a consumer standpoint. Being an executive insider, I’ll share some insights and experiences that will lift the veil on the reality of the Payment Card Industries Data Security Standards. Nothing I am writing about is specifically citing any company directly. This is purely consumer revelation about the true nature of what PCI DSS really means.
In my career to date, I’ve been the Chief Security Officer and Auditor to several organizations within the banking, payment processing and retail markets all of which are subject to the PCI DSS guidelines. PCI for the layperson is simply a set of guidelines established by the credit card companies, specifically, Visa, MasterCard, American Express, Discover and JCB International. PCI is not driven, monitored, influenced or managed by the government, but by the same industry foxes guarding the proverbial hen-house.
Continued on the next page
Merchants and payment processing companies who process more than 6 million credit card transactions annually must independently hire qualified security assessors, otherwise known as QSAs. This independent business relationship between the buyer of required services and the seller of those services establishes the potential for collusion and fraud which I have seen in action first hand. The PCI certification is only as good as the honesty, integrity, and competence of the QSA which in my experience is extremely subjective. I can also tell you with a straight face that I’ve never worked with a QSA who didn’t miss something crucial in their examinations, yet the client company receives a clean bill of health. Most of these client companies are trying to do the best they can; after all, it is their business and reputation on the line.