We’ve got another one in the news. Heartland Payment Systems recently reported a breach that may have affected up to 100 million cards.

That’s a lot.

Heartland joins another elite group of companies that suffered a breach, but was also validated as compliant by a QSA. I want to make something very clear in this next paragraph, but before I do, none of the comments here should be tied directly to any incident that has been in the news. We keep our customer lists private unless we get permission to use one as a reference.

There is a big misnomer out there that needs to be cleared up. I’ve even written about it before in this blog. In our investigations of PCI related breaches, we have NEVER concluded that an affected company was compliant at the time of a breach. PCI Assessments are point-in-time and many companies struggle with keeping it going every day.

Is there a problem with PCI? If there is one, the problem lies in the QSA community (or internal auditors that have not been through something like the CPISA training), not the standard itself. The new QA program aims to fix this, and time will tell if it hits the mark. The only snag I can see there is that virtually every question that is posed to the Council nowadays comes back with a standard answer that looks something like this:

The PCI Council empowers QSAs to make a determination if the stated controls meet the intent of the requirement. It’s up to the QSA.

In some cases, this answer is warranted. I’ve heard of some of the questions they get. Things from “Does X technology meet Requirement 5 (usually from that technology vendor)” to questions that arguably look like free consulting. I do believe the Council has taken such a strong stance against making specific interpretation rulings that there will be room for a QSA to wiggle out of potential liability if they are remarkably good at paperwork.

So, to recap, our experience shows companies that suffer a breach are not compliant with the entire standard at the time of the breach. We should refrain from saying that another PCI Compliant company was breached because the facts show that it just is not true.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: