PCI DSS Compliance Blog

The last two weeks in the payment (and information security) industry has been filled with various accounts of Albert Gonzalez (a.k.a. “soupnazi”), his accomplices, and their roles in the largest ever credit card fraud and identity theft conspiracy in U.S. history.

Naturally, of course, Gonzalez’s crimes appear to have been large enough, and bold enough, to quickly make him infamous, especially around the internet.  Is Gonzalez a “folk hero?”  Is he “Dr. Evil or Lee Harvey Oswald?”  Is he a “computer genius or common hood?”  Is he a “cybercrime mastermind?”

Regardless of what you’d like to call Gonzalez, and his attorney would prefer that you not call him kingpin, this high-profile crime has many wondering the same thing, namely, “how did ‘soupnazi’ allegedly steal 130 million credit cards?”  Prosecutors contend that “Gonzalez and his associates exploited vulnerabilities that remain widespread,” relying on structured query language (SQL) injection attacks on vulnerable websites. 

In what might be the security incident of the year, Gonzalez and his cronies reminded those of us concerned with secure payments that the security threat is very real, and that serious vulnerabilities remain for those who choose to take that threat lightly.  Commentators and consumers can take some small solace from Gonzalez’ arrest and indictment, as, obviously, can prosecutors and investigators, but the reality is that the best defense against future large-scale attacks is vigilance and improved security.

For most merchants, PCI compliance can be complicated.  Recognizing this, the PCI Security Standards Council is seeking to close the information gap by offering a comprehensive PCI Standards Training program for merchants and their security staff.  

The inaugural training program is offered this calendar year, with three events remaining, one in Las Vegas, at the Mandalay Bay Hotel, September 21st and 22nd, one in the Czech Republic, at the Marriott Prague, October 29th and 30th, and one at a as yet undetermined U.S. location December 8-10.

The training will use much of the curriculum the PCI SSC uses to educate prospective PA-QSAs.

While the PCI SSC Training program is not a certification course, it does provide merchants and IT staff with the requisite knowledge to better understand and prepare for an on-site PCI assessment.  The training program will also assist merchants and IT staff in developing and maintaining a post-assessment compliance program.

Whether you’re a merchant looking to better understand PCI compliance or an IT person hoping to gain a better understanding of information security best practices, the PCI DSS training program seems likely to increase your knowledge base.  Given your choice of cities, too, you’re very likely to have a great time, be it gambling away your budget in Las Vegas or drinking away your hours in Prague…

It’s been an interesting couple of weeks in the PCI compliance world, with no shortage of aspersions cast toward PCI standards specifically, and the payment card industry in general.  PCI proponents, though, aren’t taking the criticism lightly, choosing to push back hard against what they believe are misguided notions.  Let’s take a look around the blogosphere to see the gloves come off in this contentious clash.

The de facto stance of many PCI critics, including National Retail Federation president Dave Hogan, is that PCI compliance is little more than “an elaborate patch.”  Noting past PCI-related misstatements, though, Michael Dahn at the Chaordic Mind blog comfortably compares Mr. Hogan to “conspiracy theorists.”  As Dahn points out, PCI compliance is but one important component of data security; it’s neither a total solution nor is it, as Alan Shimel explains at the StillSecure blog, a “checkbox.”

And this might just be the most common misconception about PCI compliance, that somehow compliance alone should make a business secure.  Of course, such is not the case, but the perception prevails nonetheless.  Similarly, as Ed Kountz at the Forrester blog writes, PCI compliance by itself isn’t enough to engender consumer trust.  PCI compliance, obviously, doesn’t assure comprehensive data security any more than it assures consumer trust but a company isn’t likely to gain either without being PCI compliant.   It’s a simple concept, really, but one that seems wholly lost on the majority of PCI critics.

Of course, the same old criticisms and rebuttals can only be so exciting.  Fortunately, this last week provided us with some real PCI-related fireworks.  After months of relative silence, Heartland Payment Systems CEO Robert Carr finally spoke, sitting down for an interview with Bill Brenner at CSO online to discuss the much publicized data breach that cost Heartland approximately $32 Million (to date).  Carr’s perspective was met skeptically by many, as is evidenced here, here, here, and here. 

We can only hope that the next two weeks in the PCI compliance world are half as exciting as the last two.   You can bet we’ll be paying close attention!