PCI Compliance exposed for the joke it is

From an Associated Press article:

More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers… Meanwhile, many others likely have been breached and didn’t detect it. Even the companies that had the payment industry’s top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.

PCI-lifecycleFor those not already in the know:  PCI Compliance refers to PCI-DSS, which stands for Payment Card Industry-Data Security Standard (sounds like a good idea, right).  PCI Compliance is being required by all the major credit card processors of every business that processes cards.  That’s pretty much all of ’em.  The security standards are unrealistic for many businesses, and incomplete in their attempt to prevent data breaches.  For example.  The standard requires relatively strict access restrictions to all POS and card processing servers, such as requiring all service technicians to present ID badges.  In some circumstances going so far as to require video surveilance on the server racks.  The standard neglects however, to restrict access to the POS terminals and network workstation.  There are a lot more clients on a network than servers.  WAY more points of entry, and usually lackluster security.

Now that the deadline for businesses to come into compliance is nigh, studies are already rolling out on the effectiveness of Big Credits new magic pill to solve the perennial breaches.

Companies that are not compliant with the PCI standards — including one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don’t have to endure security audits, but can evaluate themselves.

Credit card providers don’t appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.

When i got my first credit card i thought, “this is going to be great, now i can spend money i don’t have!  and y’know, it’s my credit & my ass on the line, but if someone else wants to spend that money too, i guess that’s cool too.”  OK, that didn’t really happen.  Did you think that?

Its a sham.  It’s half-assed.  It’s costing small businesses thousands of dollars to pay security firms to test and certify their systems.  Many of these companies don’t even employ IT staff.  The PCI recommends only 5 security firms to certify through.  How is this protecting the consumer?  In the end the standard succeeds mostly in diverting money away from local economies into already full pockets.

Comments are closed.

  • No recently listened tracks.