PCI: A Brand, Not a Security Standard

Fri May 8 21:09:02 EDT 2009

security curmudgeon

I am so fed up with this entire ordeal. As a customer who was twice affected by Heartland's security breach (two different cards through two institutions were re-issued because of the breach), I am disgusted with Visa and Heartland. PCI and its cheerleaders make me angry.

Visa is a PCI fan because it transfers risk to their customers, and removes liability from Visa. It's in their best interest to maintain the integrity of PCI at any cost, even when that cost is violating their own integrity. How can anyone sit back and groan about this ordeal without getting mad? Visa, PCI and Heartland are as bad as Enron, as bad as the Wall Street thugs who tanked the economy, and are nothing more than wealthy criminals.

I have asked Visa to comment on specific aspects of this. Attrition has had calls in to Heartland to comment on points of confusion and question. We sit here, unsatisifed, without answers and wondering why either can stay in a position of financial power.

When the breach was first announced, Visa said that Heartland was not PCI compliant:

"We've never seen anyone who was breached that was PCI compliant," Phillips says without specifically naming - or excluding -- Heartland. "The breaches that we have seen have involved a key area of non-compliance."

Yet they had seen this before, in the RBS Worldpay incident announced just two months before. RBS was PCI certified according to Visa's own site as was Heartland when the breach happened. Common sense here, Visa: either they are certified or they aren't, but you said they were. You don't get to hire a PR flack to lie to the public and try to spin this away from tarnishing the PCI brand. And that is exactly what it is, a brand, not a security standard. While Visa listed Heartland as PCI compliant, Adrian Phillips (Visa's Deputy Chief Enterprise Risk Officer) was telling media outlets that they were not PCI compliant. Despite that, Visa then suspended both Heartland and RBS from PCI certification. If they were suspended, that means they were compliant, and Phillips lied to the public. Days ago, Visa restored the PCI validated service status to Heartland after another QSA (VeriSign) said they were compliant.

Eduardo Perez [head of global data security at Visa] says that since January 20, when Heartland first announced the data breach publicly, Heartland worked with a QSA (VeriSign) to revalidate and submit a Report on Compliance. "Visa has reviewed their report and is satisfied that previous deficiencies have been addressed," Perez states.

Read that again, and read between the very big lines written in neon lighting. Heartland was PCI DSS compliant. Heartland was compromised. Visa says the recertification addressed "previous deficiencies." That means the "previous deficiencies" were not detected by the PCI standard, or were missed by the original QSA. Which is it, Visa?

Did the original QSA (Trustwave) get fined? Were they questioned about their methods for determining compliance (by anyone other than me, which were not answered)? With the Heartland CEO (Robert Carr) calling for more openness and communication, do we know enough about the incident to ask questions why PCI failed? Everything I have read suggests that a few thousand dollars spent in the right area would have caught suspicious traffic in a matter of hours, not months. Bad guys were sniffing their network; if Heartland admins were also sniffing their network looking for credit data, they would have seen the problem early on.

Heartland is now contesting the Mastercard/Visa imposed fines. It is refreshing to see that PCI has *some* teeth and will punish those who fail their customers:

Of those costs, $6 million were in fines from MasterCard and almost $1 million from Visa for alleged failures in PCI compliance.

Heartland is claiming that they were PCI compliant and that such fines are against Mastercard's own rules as well as in violation of U.S. law.

Forgetting about the financial and political drama between Heartland and PCI founders, what exactly does "probation" mean? Heartland had a network compromise that allowed attackers to control key elements of their architecture and intercept traffic. Are we really sure they removed all access the attackers enjoyed? While on "probation", they were allowed to continue processing payments, which seems like negligance.


Consider that there is a "third" payment processor breach that is *still* unanswered. Visa and Mastercard are not saying who it is. In the past I said I knew who the third breach was. Logic 101 says that RBS WorldPay is the other big breach, and Visa's own wording implies that it is a *second* breach at RBS, not the initial one around October 2008. To date, no one in the know has contradicted my claims. So if I am right, that means that while on 'probation', a company can get compromised just as easily as the first time, and consumer information can once again leak to bad people.

Cliffs Notes:

The bottom line is that PCI has good intentions, but is implemented by an industry hell-bent on transferring risk and liability. Visa and Mastercard care about consumer security as a distant third reason for PCI DSS compliance. Security is centered around integrity. Integrity of systems, integrity of people we trust to run the systems, and integrity of the people we trust to audit the systems. Without integrity, you have a group of people that are not so different than a well run and well disciplined criminal enterprise.

Achieving PCI compliance does not mean a company is secure. Even if a company meets every requirement to be PCI compliant, it does not mean they are secure. There are significant gaps and shortcomings in the PCI DSS standard big enough for dedicated attackers to drive a virtual dump truck through, which they use to cart off millions of records from the real victims: customers.

main page ATTRITION feedback