Monday, September 8, 2014

PCI and Retailer Breaches

Just a quick thought in the absence of meaningful thoughts on here ...

When Target was breached at the end of 2013 (and every day since then), from the safety of their climate controlled armchairs, pundits have cast judgement on Target.  "Target was negligent." Or maybe "Their PCI QSA wasn't thorough."  Sentiments along those lines ...

Now, here comes The Home Depot's breach.  Same malware.  Same techniques.  Quite possibly orders of magnitude higher in scope than Target (time will tell).  The same ol' drums will beat from smart phones and tablets in living rooms everywhere.

The reality is ... It's very difficult.  Difficult to get security "correct."  And more difficult to keep it in that "correct" state over time.  A single chink in the armor, so the ol' stitch goes ...

For the self-acclaimed pundits who throw rocks in glass houses, consider this: 
Every single Level 1 merchant that has been breached has signed RoCs (Reports on Compliance) signed by both a third party and representatives of the credit card brands.

Now for the realistically jaded perspective: PCI is really just about transferring risk to merchants and away from the card brands.  That's it.  Does it work?  Sure it does, since consumers are still using credit cards at merchants, and the economy hums along.

That is all ...