PCI-Can Someone Please Go Back to the Drawing Board?

The PCI aspect of the merchant acquiring appears to be paralleling US Congress. There is too much red tape and bureaucracy complimented by a whole lot of special interest groups. How do we dig the industry out of this mess? The recent hacks on PCI compliant processors takes me back to a hackers conference I attended a few years back. The hacker demonstrated how to hack into merchant accounts via wireless. He actually held up the what was then the CISP regulations and began laughing at all of us. I hate to be the one to break it to everyone, but PCI has been a joke to the hacking community for some time now.

The Bureaucracy

Spin PCI any way you want to... PCI is just a road map... PCI does not mean you are hack proof... The cold hard fact is the US needs to begin implementing another form of authentication at the point of sale. Render the card number useless and no one will want it.

The argument has been that the issuers do not want to endure the expense of reissuing cards. Is that not what they are having to do in many of these cases? What about the impact on losses?

The merchant side's argument is that the merchants will not want to spend the money upgrading terminals. What exactly are they paying to the processors for PCI compliance of their own and of the processor? ...financial gain and a false sense of security-much like some of the identity theft monitoring "tools."

There is a need for security standards and education, but when exactly did things get this out of control? If companies the size of Heartland and RBS WorldPay cannot secure their systems, what hope is there for the auto mechanic, hair stylist, and bookkeeper with no IT staff? PCI is beginning to crush the American dream of owning a small business. Think about it the next time a small merchant goes into bankruptcy due to fines after a hack. We have lost site of the real issues and have accepted a "fix the symptoms not the cause" philosophy.

The issue here is that no one can admit the problem and it is only going to get worse. As Canada moves to chip and pin, the US will be seeing even more. The really bad attacks are not coming within our own borders. We have very little control over what is happening or the outcome of an investigation. Investigators and members of law enforcement are basically useless against a hack coming from Russia. When do we stop calling it fraud and begin calling it what it is...cyber-terrorism?

The merchant industry has pumped millions of dollars into PCI at this point, but the entire system needs to be rethought.

Special Interest

Everyone has an angle on PCI. A great example is the new certification exam called the Certified Payment Card Industry Security Auditor (CPISA) certification put out by the Society of Payment Security Professionals. If you look closer at the SPSP group, dues are paid to the Aegenis Group, a security consulting firm. The exam may be a great tool. However, it is not recognized by the PCI Council. If PCI Council is the entity recognized by the Associations, then they need to be backing certifications. The SPSP's site states they are not affiliated with the PCI Council. You cannot view the SPSPs member companies so it is not clear whether Visa, MasterCard, Discover and American Express involved with them. Are the Associations endorsing this certification?

We would like to see statistics on the PCI companies. The industry is held hostage to high prices through only approved PCI vendors. It is difficult to choose the right one. The RBS and Heartland hacks were both processors certified by Trustwave per documentation on visa.com. It would be a real help for processors to be able to see track records of the vendors. Even if the PCI vendor did the certification correctly, what type of education process is being offered during the process to IT staff which have to support it after the fact?

It is nice to see the entrepreneurs of the world go after the PCI pot of gold, but it would be nice to see some kind of actual solution.