I get to hear a lot about PCI lately. From customers, from industry partners and from sibling companies. It’s an acronym that is receiving a lot of hype and there is a strong showing of folks out there that are determined to find a dollar in it whether it’s through the use of FUD (fear, uncertainty & doubt) or through the compliance cost carnival.
This week we had a customer call us up and demand that we be PA-DSS certified. We tried to tell him that since we did not distribute our cart or payment processing engine, there was no need to be PA-DSS certified. PA-DSS or PABP as it used to be called is a standard intended to be applied to folks who sell software to be installed on the customers third party server. An example of this would be Zen Cart. By the way, out of the hundreds of self-hosted carts out there currently only 5 are PA-DSS certified, probably due to the high cost of this certification process ($40K). As it stood this customer took a lot of convincing. Apparently he had engaged a PCI consultant who misdirected him, perhaps through ignorance but I am cynical about this overnight industry and wouldn’t be surprised if it was a deliberate attempt to grow the scope of the engagement.
Back to PCI-DSS, another bit of confusion I hear from customers is the belief that they will be “hacker proof” after completing it. Since most merchants will fall under the least restrictive Level 4 category and their compliance will be measured by a self answered questionnaire this seems a little bit like wishful thinking. The whole audit process is aimed at point in time compliance. That is, on the day the audit is completed all parties involved attest that it is accurate to the best of their knowledge. Since a clumsy server administrator can undo that the very next day really all the audit does, even at it’s most thorough, is reduce the attack surface of the customers application, not eliminate it. For an example of this thinking look up the circumstances of the WorldPay breach. WorldPay was certified to the PCI-DSS standard only 2 months prior to gushing customer credit cards like a old time Texas well head.
I can’t help believing that the whole PCI-DSS process is simply a way for card issuers to shift risk and the cost of managing it onto the merchant. Certainly the work required to pass an audit is expensive, not just in terms of hardware (firewalls, IDS’s, vulnerability scanners etc.) but also in the labour that now has to be directed maintaining the standard 12 months a year. When Heartland got breached last year their auditor then got seriously hosed by the card issuers on the grounds that if the audit was accurate the breach would not have occurred. This is rather disingenuous since this “belief” doesn’t seem to be held by anyone else in this process. Let’s accept for a moment that the Big 3 aren’t in the business of making money off invented rule sets (and I personally am not convinced that they don’t have a line in their P&L for compliance income) then certainly the auditors are making a mint. When an audit for a Level 1 processor can run into the hundreds of thousands somebody is making money. If it walks like a duck etc.
Geof Birchall
