The "RISKY BUSINESS" Blog

Robert Carr, the CEO of Heartland Payment Systems,  had some very candid and controversial thoughts relating to the Payment Card Industry Data Security Standard (PCI-DSS), the Qualified Security Auditors (QSA) who certified their environment as PCI Compliant before their massive (up to 100M card) breach, and the difference between being compliant and being secure. Article here

The part that really jumped out to me was the statement about the QSA failing to check Heartland's vulnerability to a "common attack vector". Without additional information it's difficult to determine if the criticism is fair.

Did the companies that were previously attacked using that vector disclose it? Had the vulnerability been disclosed by the researcher(s) that discovered it (or were they waiting for the vendor to issue a patch)? What if the "common attack vector" only rates as a low-medium vulnerability by PCI's own scanning standards? There's a potential information asymmetry problem that works against the auditor in these situations. Has Heartland shared detailed information of their attack with the QSA community as a whole to prevent the same situation from occurring elsewhere? 

Is it the QSA's obligation to stay aware of common attack vectors or is it the PCI Council's responsibility to  promulgate "common attack vectors" to them.  I believe it's both, but more important that the PCI Council does so as they have visibility across every PCI Compliance Audit and data breach. Assuming the PCI Council does promulgate this information to QSAs, but not to the companies themselves or other non-QSA auditors that do PCI DSS work (like us), then the council is creating additional incentive to pay the hefty fees to be QSA certified at the expense of the companies and the consumers.  This shouldn't be all that much of a surprise. Ask yourself why we haven't gone to two factor authentication on credit cards to reduce fraud ? (hint: because it's cheaper to let companies like Heartland take the fall)

I think the PCI Council is a great example of an industry association failing to fulfill their role of building trust between their members and their consumers (another great example).  How many more PCI-compliant merchants will get hacked before that trust is completely eroded? As trust decreases, so does the industry's pricing power and the only way out of this mess is providing a higher level of assurance that will cost the merchants more money - but who's going to pay more money for a PCI audit if they don't feel compliance will actually secure them from hackers?

An incentive for conformance (i.e. compliance) is not an incentive for performance (i.e. effective security). Until PCI either gets the incentives right or implements technology that's secure by default the problem will only get bigger.  How many more PCI-compliant breaches will it take before the government intervenes?