security curmudgen, from attrition.org, has several good questions about the whole Heartland-Visa-PCI incident, such as:
- According to Visa, was Heartland PCI compliant or not prior to the breach? And why has the answer changed?
- Was RBS Worldpay compliant prior to their problems? (Perhaps I should interject this question: Does Visa know what makes a company PCI compliant?)
- How can Visa suspend certifications that a company doesn’t hold?
- Were Heartland’s “previous deficiencies” not detected by the PCI standard or the original QSA (qualified security assessor)?
- Did the original QSA (Trustwave) get fined?
- Why was Heartland allowed to continue processing payments while on probation?
- With all the unanswered questions, how can Heartland or Visa stay in a position of power?
- Who is the third payment processor that Visa said was breached? And why won’t Visa answer that question?
security curmudgen closes his rant appropriately:
Achieving PCI compliance does not mean a company is secure. Even if a company meets every requirement to be PCI compliant, it does not mean they are secure. There are significant gaps and shortcomings in the PCI DSS standard big enough for dedicated attackers to drive a virtual dump truck through, which they use to cart off millions of records from the real victims: customers.
I agree with s.c., but I’d look a bit broader. There’s so many standards and regulations that try to address only their part of the galaxy instead of just addressing security risk as a whole.
Read s.c.’s full rant, PCI: A Brand, Not a Security Standard, here (requires free membership to access content).
See the previous post about PCI. I still think the PCI standard is relevant, but I agree that Visa needs to sort out the integrity issues.