Thursday, August 6, 2009

The PCI Gotcha Rule

Visa proudly stands behind their pronouncement that no organization that is certified as PCI compliant has ever been breached. Think about that – NEVER! Doesn’t that strike anyone as odd? Billions of dollars have been spent by thousands of companies to ensure that they are PCI compliant, yet the crooks always seem to target those companies that are not PCI compliant. How is that possible? Is there a list somewhere that only crooks have access to that identify these errant companies? Do they have some sort of mark that sets them apart?



Well, actually they do. Every company that has been breached thus far accepts or processes Visa and MasterCards. As such, they fall under Rule 6 of the PCI compliance rules. Paraphrasing Rule 6 - “All participating companies will develop and maintain secure systems and applications.” This rule seems, on the surface, to be innocuous, but upon reflection, it is incredibly nefarious. Why? Because taken to its logical conclusion, it is impossible to ever be PCI compliant. NEVER! Think about it, if you have suffered a breach, you have not maintained a secure system or application and therefore are in violation of Rule 6, thus are not PCI compliant. Now that’s a rule!



No wonder Visa is so strident and resolute in its pronouncement. Logically, they are absolutely right. In the real world where the rest of us live, however, it doesn’t quite ring true. There is something a bit out of whack with the logic. It would seem appropriate, in light of this rule, that all parties that accept or process Visa and MasterCards abandon any further efforts to become PCI compliant and redirect all current and future PCI related dollars into a huge legal defense fund dedicated to destroying the rule making bodies that promulgate or enforce PCI regulations. It only seems right to fight fire with fire.



Another thing about PCI compliance drives me crazy. Visa and MasterCard both maintain that they only enforce the rules promulgated by the PCI council – like they are at arm’s length in the process, although they both are founding and funding members of that august body. Yet they are both “for profit” companies. As such, creating shareholder wealth is their prime directive and motivator. Given that scenario, would it seem too Machiavellian to consider that one way to maximize revenues is to develop a set of standards that cannot be met, thus ensuring a steady flow of income? Just a thought!

Paul Martaus

at 2:46 PM

0 Comments/Click to View or Add:

Post a Comment

Subscribe to: Post Comments (Atom)

  © Free Blogger Templates Spain by Ourblogtemplates.com 2008

Back to TOP