Global Security, Privacy, & Risk Management

“Doing Time Before Being Convicted?” – Analyist Accuses Merchant of PCI Non-Compliance May 11, 2012

I wrote this in May 2012.  Given the current position in the industry if proclaiming victims of cybercrime to be wholly responsible, I thought it appropriate to publish again.

I was reading a an article on BankInfoSecurity.com titled: “Online Retailer Breached”.  I am taken aback at the attitude of the quoted analyst.  A Gartner analyst took a very bold step of accusing the merchant of “non compliance” then seemingly qualifying his statement by adding: “The attacker was probably able to attack unencrypted card numbers,” he says. “But given the lack of details, it’s hard to say for certain.”

In the article, the analyst states: “There are really only two scenarios that would allow the actual card numbers to be stolen: either from a database on the back end, which means the retailer was in violation of PCI-DSS, or the hacker could have launched something on the site to get the numbers after they were transmitted.”  First, there are a number of ways that an “actual card number” could be stolen from an eCommerce site and second, it is entirely possible to have breach without being ‘non compliant’.   The Analyst follows up with a typical ivory tower PCI perspective: “E-commerce sites are more vulnerable when they don’t take PCI seriously,” he contends. “Everybody who is involved in PCI-DSS probably knows a merchant that just entered ‘yes’ to everything, without really doing a thorough job of checking for compliance.” So is his first sentence acknowledging that eCommerce sites are still vulnerable if they do take the PCI seriously?  In this case it seems difficult to state definitively that if a number was accessed then the company was non compliant.   The second sentence highlights the challenges of the PCI industry in 2012.  Too many ‘experts’ are quick to jump on the bandwagon and equate security with compliance.  The knee jerk reaction is to proclaim companies as ‘non compliant’ simply because they experienced a data breach.  The point is that it is irresponsible to accuse a company of non-compliance without first having insight into the attack.  (BTW…I have a bit of PCI expertise myself.  You can read my bio, if so inclined)