The PCI Security Standards Council, a group formed in 2006 by the five major credit card companies, maintains the list of assessors and is in charge of training, assessing and vetting all of its 105 QSAs (Qualified Security Assessors) and 135 ASVs. Bob Russo, general manager of the council, based in Wakefield, Mass., said hes not aware of any breaches in the past four or five years in which the merchant that suffered the breach had been PCI-compliant.Were a PCI-compliant merchant to lose data in a security breach, the PCI Security Council wouldnt get involvedthen, the situation would be in the hands of a given credit card brand, Russo said. "We dont get involved in forensics," he said, explaining that the Council therefore has no means nor any intention of investigating security assessors that might PCI-certify a merchant whose security posture doesnt rate. Read more here about why merchants are struggling to achieve PCI certification. Some security experts arent mollified, and they point to the enormous CardSystems breach of 2004 as an example of why there needs to be a backup plan if assessors rubber-stamp merchants. "Look at the history of PCI. Look at the PCI-certified organizations weve seen suffer breaches," said Rich Mogull, an independent security consultant, founder of Securosis and former Gartner analyst. CardSystems, a credit card processing company, had its computer system penetrated by data thieves sometime before June 2005, exposing data belonging to 40 million cardholders. At the time, MasterCard claimed that CardSystems had never demonstrated compliance with the companys standards. CardSystems told a different story, though, informing the New York Times that it had been audited in December 2003 by an unspecified independent assessor and that it had received a seal of approval from the Visa payment association in June 2004. However, those audits were more than a year before the breach itself, said a spokesperson for the PCI Security Council. "The DSS specifically prohibits the storing of magnetic stripe data [a security blunder to which CardSystems admitted]. If a company is storing this data, they are not compliant with the DSS. No organization who has been compliant with the DSS has ever suffered a breach," he said. "You cant expose data that isnt there had they not been storing this data, they would not have been at risk." At any rate, the way Mogull sees it, PCI was never about protecting consumers or improving security to begin with. "The way the program is designed, it pushes all liability for card security onto retailers and transaction processors," he told eWEEK in an interview. Indeed, Mogull said, there are things the credit card companies could do to improve the security of online transactionsthings that are outside of retailers control. The credit card companies arent implementing them, however, because theyre too expensive, he said. Examples include SET (Secure Electronic Transaction), a protocol for securing online credit card payment developed by Visa and MasterCard that enables merchants to swap a certificate for a users actual credit card number, allowing funds to be credited from a consumers credit card without the need of the merchant to deal with the credit card number itself. Page 3: Security Experts: Merchants Racing to the Bottom for PCI Certs
As it is, he told eWEEK in an interview, security assessors go through an "arduous" test of their scanning tools to make sure those tools can catch the hundreds of constantly shifting vulnerabilities that crop up, that the tools describe vulnerabilities in sufficient detail and that they provide clear instructions on how to correct a given vulnerability.