Security experts are starting to grumble about the Payment Card Industry Data Security Standard, saying that some merchants just want to get PCI-certified as cheaply and easily as possible—and that the PCI certification system is set up to help them do just that. According to Jeremiah Grossman, chief technology officer and founder of WhiteHat security, the problem is that there are no repercussions if an ASV (approved scanning vendor) passes a retailer and slaps a PCI certificate on the merchant only to have that same merchant wind up experiencing a security breach. This reminds me of the web site security certifcation trend a few years back.
There were a handful of legitimate certifications like WebTrust, issued by the AICPA, and then there were a whole lot more that meant practically nothing. In some case all you had to do was pay a few thousand dollars and you got the seal that ostensibly proved your site was secure. I sincerely hope that PCI does not travel down that road, but after some of the stories I’ve heard, it looks like it may very well be. Bob Russo, general manager of the PCI Security Standards Council, states that were a PCI-compliant merchant to lose data in a security breach, the Council wouldn’t get involved. Instead, the situation would be in the hands of a given credit card brand. “We don’t get involved in forensics,” he said, explaining that the Council therefore has no means nor any intention of investigating security assessors that might PCI-certify a merchant whose security posture doesn’t rate. This should come as no surprise to companies that are dealing with PCI compliance, but it should be surprising — and scary — to those of us who were hoping that PCI was going to improve the secure handling of our credit card data. View the entire article here .
No related articles.
