PCI Council wants YOU to give it things to DO Crusaders at the Payment Card Industry Security Standards Council have called for submissions into projects for 2015. The council is responsible for PCI Data Security Standards (PCI DSS), a - to date - largely failed initiative to impose better credit card processing security by retailers. A Special Interest Group is …
The PCI standards council only maintain the standards, enforcement of them is down to the Card schema's and the acquiring banks.
Previous to the PCI standards councils, each card schema (visa, mastercard, Amex) had their own requirements and standards which would have been impossible for a retailer to adhere to. The PCI DSS is meant to be a common standard for all card schema;'s.
The problem is that the card schema's don't have a direct relationship with the retailers, this is done by the retailers acquiring banks, and because there is no co-operation between the acquirers, then the standards do no get enforced. HSBC are not going to tell their major retail customers to become PCI compliance, because if they do the retailers will just move to Barclays, HBOS, etc.
The only way to enforce PCI compliance would be for the acquires to co-operate and suggest that each a retailer does not met PCI requirements they will had a 1% surcharge added to thier interchange rates, That would make the CFO's at every retailer sit up and take notice.
Please note PCI is not about Chip n Pin it's about securely handling the card numbers and associated information, most PCI requirements are just basic good information security practices, encrypt data, restrict access etc. As somebody with 15 years+ experience of working with major worldwide retailers in information security, it's unfortunate but most retailers will not implement basic security practices because however much they say they value their customers and their customers security, unless there is somebody with a big stick telling them to do it, they aren't interested.
There is a vary easy way to ensure compliance. Just have a couple of suits against retailers who lose information and are found to not be in compliance. Make the damages PAINFUL. Explicitly state in the ruling "the only reason I'm setting these damages this high is because of the gross negligance of not following industry best practices (ie PCI DSS)."
This post has been deleted by its author
A small business, for whom I do some consulting, wanted to take credit cards for some payments; on the website end, we don't have to get that PCI certified as we simply hand off the data to Barclays EPDQ, but because of their use of a virtual terminal in the office, and accepting orders with credit card info via post/fax, they have to have a PCI check on the systems there.
There's a long self-cert form to fill in, much of which is simple common sense, but you're also effectively forced to pay for a security consultancy to check your systems for you. This seems to have involved no visit, and just an automated scan of the IP address that the office computers had when they set everything up.
Of course, being a BT broadband line, after the odd long holiday with the office shut down, there's a different IP address. But the security company is still scanning the old one, sending reports warning that things are no longer PCI compliant because of an open admin port on a router, which wasn't even the client's own.
There certainly is a need for people to adhere to best practice, but looking at the other comments here, it's easy to get the feeling that big companies get away with a lot, while small ones are forced to pay fees for testing and certification that aren't really achieving anything.
AC, as it would be far too easy to identify my client otherwise.
It's not about company size, it is about the # of transactions. If you have a company of 5 people, but collect 1,000,000 transactions, you are level 1, and have to comply with level 1 requirements.
If you do only 5,000 transactions, you have far less to do. But ya still have to do it. If it traverses your network, you have to play ball.
Frankly, PCI is an easy, extremely low bar to acheive. If anyone thinks PCI compliant means you are secure, you'll probably be owned @ some point. Just give a bad actor a reason to focus on your company.
You said it in your post - Their IP changed. That's how cheap they are. They will not even pay the pittance extra for a static IP. Are they using a Dynamic DNS service too? Then scan against the hostname.
my business used to take credit cards - only via an Barclays PDQ terminal - no online facilities etc. PCIDSS brought in a more than double rise in my costs, and thats without taking the amount of time given to form filling and admin into consideration.
While I was lucky that I could self certify, it made it all uneconomic, so I told Barclays where to poke it, and if someone wants to pay by card, they can use PAYPAL.
They should.spend their time on looking at ways to make card payments more secure, not at punishing the retailers for not taking cash!
1st, you have auditors that either 1, are over zealous in the spirit of the standards, and end up wasting resources driving a company further from the objective....or 2, you have auditors that come over from financial audits or whatever (Non-IT) and they don't have any understanding of the information in front of them.
.... and then it happens: FRAUD! Fraud by the companies that just want to cha-ching, and are annoyed that *should* have to comply to any standard.
I worked for a level 1 merchant for 1.3 years, and quit. I refused to have anything to do with that organization's jeopardizing their more than 1,000,000 CC transactions, from people across the entire globe .... every single continent.
How can an auditor miss THE main payment system, limping along on a Windows 2000 cluster running MS Commerce Server, with a back-end of FoxPro for DOS (No lie - Copyright 1989).....today. Simple, both management and internal audit hide that information from the clueless 3rd party auditor.
Can't patch end-of life hosts. Can't patch non-EOL hosts, it breaks the other apps. WebDevs choose the worst method of coding - Like writing their own encryption algo, then lopping off the 1st 1/2 of bits. I've worked with web hosting companies and all their PCI customers cheated (except 1). I'm so tired of hearing, "I was want to check the box". Fine, lie and check the box - I'm out!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
