Comments on: MasterCard Becomes The First Card Brand To Publish PCI Fines

By: Eric Jernigan

Eric Jernigan — Thu, 31 Dec 2009 19:30:59 +0000

I don’t understand how you can do a risk assessment involving PCI unless fines are published and transparent. I have been relying on the word of QSAs to get this information but that is a BS way to get this basic kind of information.

ALL fines and sanctions regarding PCI noncompliance/breach need to be on the http://www.pcisecuritystandards.org site- PERIOD

By: Bob Smith

Bob Smith — Tue, 25 Aug 2009 00:40:08 +0000

I agree with Jeff Wilder. The current system is fundamentally flawed. It is based on the idea of keeping a plain text number secret; a number which you must share with everyone you do business with. In a typically e-commerce transaction, the card data could be stolen by a virus/keylogger on the consumers computer, a packet sniffer on a compromised network, from a compromised web server, from a compromised card processor, from a compromised internal system at the merchant, by a dishonest employee, etc. The idea that PCI compliance will change anything is unrealistic.

The card companies are deflecting the responsibilty to the merchants instead of fixing the problem. The system needs to be changed.

By: Jim Bagozzi

Jim Bagozzi — Tue, 11 Aug 2009 12:00:25 +0000

I certainly support the standards approach and the attempt from the industry to self-regulate. Unfortunately, the ‘bad guys’ always seem to be one step ahead. Matter of point: the major breaches that have hit the press over the past few years have been attacks on ‘PCI Certified / Compliant’ organizations.

By: Jeff Wilder

Jeff Wilder — Fri, 07 Aug 2009 22:34:08 +0000

As a QSA, with numerous years in audit and security experience , I can speak from a position of authority on this subject. What I find difficult is that the card brands provide all the data in clear text to begin with and then put the onus of responsibility to protect it on the same person who is selling you the ice cream. If the card brands truly wish to protect their data, then they should change to architecture which the card processing is built on (via strong encryption, salted hash value, one time card numbers, etc) …. And own the process of protecting the data themselves, rather than relying on the shoe, clothing store or local restaurant. Lets not forget who actually owns the data here… its not the merchant or service provider. The card brands need to take ownership.

By: Gareth

Gareth — Fri, 07 Aug 2009 17:24:18 +0000

@steve –

Unlike doctors, lawyers and legal professionals there are no enforced minimum standards of education and training for QSA’s. 2 days “training” and an open book exam does not equate to a professional opinion.

The supposed 5 years previous experience is not checked out by anybody. No previous audit experience or qualification is required. Your securty experience could have been doing literally anyting – I know an AV analyst of 3 years experience who is now a QSA.

The scheme is absolute junk for that reasons and more..

By: Steve Davies

Steve Davies — Fri, 07 Aug 2009 16:10:06 +0000

In many other professions, medical, legal and professional engineering to name a few, second opinions and differences of opinions are the norm. The folks at the PCI Security Standards Council insist that each Qualified Security Assessor weigh the exact circumstances and render their own opinion. I think this is exactly the way it should be. Only the QSA has enough information at hand to render an opinion. Of course, just like doctors and lawyers, QSAs are human and have different interpretations of the same information. In the end, I think merchants benefit from this. There is more than one secure (and many insecure) implementation in most cases and this affords the merchant greater flexibility.

By: Bryan Johnson

Bryan Johnson — Fri, 07 Aug 2009 13:34:14 +0000

Despite the sensibility of PCI standards normalization across card brands, it seems that most can’t resist maintaining something unique. Which, in the end, complicates matters.

I also agree with Terri Quinn-Andry, it’s nice to see some openness from MasterCard.

By: Chuck Williams

Chuck Williams — Fri, 07 Aug 2009 13:14:33 +0000

Notwithstanding the need for independent “3rd party” assessments, I find the interpretation of many of the PCI DSS requirements to be subjective depending on which QSA is rendering an opinion. In many cases we’ve received a favourable opinion from one QSA and a contradictory opinion from another. The merchant is left pondering the futility of it all.

By: Jason

Jason — Fri, 07 Aug 2009 13:12:18 +0000

Well said Sean, you hit the nail on the head.

By: Sean McDermott

Sean McDermott — Thu, 06 Aug 2009 14:52:17 +0000

James – it is both and more.
First, companies should be applying even more stringent security requirements than those required by PCI. They don’t – and the fact is they will always apply the lowest set of standards they can get away with because securing data costs money.
Secondly, it would be a conflict of interest to have a company performing it’s own security assesment. IMO, the SAQ is one of PCI’s greatest faults.
And lastly, the food industry has shown how well self-examination and certification programs work.

By: James Reinhard

James Reinhard — Thu, 06 Aug 2009 11:34:20 +0000

I do not understand why an organization’s internal audit department cannot perform the assessment? Is it an independence issue? Is it a qualifications issue?