Last week I moderated a panel at a PCI focused dinner in Chicago. Big props to the folks that helped to plan this (Alex, Melissa, Ben, and Diana from VeriSign), the event was great! The panel participants were heavy hitters from the industry including Anton Chuvakin from Qualys, Davi Ottenheimer from Arcsite, and Bill Cook from Wildman Harrold.

Anton has a few great points from the event that he has posted on his blog here. We had a fantastic discussion, and there were even great discussions among the panelists that revealed conflicting opinions. We had so much discussion that we were unable to go through the entire list of questions I had prepared. I had thirteen, and we only were able to get through THREE in the seventy-five minutes we used!

Side note… the guy next to me on AA1882 to BOS is chuckling so hard at Madagascar 2 that he is shaking the whole row. WOW. Too bad I don’t have my ratchet set, I could secure these seats a little better. And yes, I often do write at 30,000+ feet.

The audience and panelists focused on the word compliance and how it differs from the terms security and validation. It is obvious that the scrutiny on PCI is higher now than it was during its initial rollout. Merchants are crying foul saying that card brands are using this to protect their investment into outdated and insecure technology. Legal cases challenge both fines and statements made by Visa recently revealing that there has never been an instance of a compliant (remember the difference between compliance and validation) entity being breached. And everyone is disgusted with the vendor that claims to solve all of your PCI problems by buying his technology.

We’re at a crossroads, methinks.

Today, Bob Russo and other industry pundits (one of which has absolutely no business being a part of the inquiry except to irresponsibly use his position promote his own incorrect and misleading propaganda thereby making retail CIOs look like old relics that cheer for this fancy, new thing called EDI… yes, you guessed who it is) will go before the House Homeland Security Committee to try and answer the question, “Do the Payment Card Industry Data Standards Reduce Cybercrime?”


One thing that was clear from the panel is that everyone agreed PCI has pushed data security projects farther inside their companies than any other measure to date. If you are reading this out there and disagree, it may take a breach for your management to see the light and invest appropriately. We also all agreed that an amazing amount of money for security projects magically becomes available after a breach.

After listening to some of the stories about other QSAs that the audience brought, I think I might have stumbled upon something. We’ve all had someone explain a situation to us that does not appear to represent a compliant solution. Not only are we sometimes mislead by a lack of context, but I think something a little more ominous occurs.

The number of QSA firms is impressive, and merchants are free to choose any one. Let’s say that as a QSA you are dealing with a prized or significant customer. While the QSA is on-site, the customer pushes back (as I explain in my upcoming article… more on this later) on findings in various areas to see if the QSA will bend. If two or three managers push back in key areas all at the same time, there is a significant chance that a non-compliant situation might occur if the controls are inter-dependent.

Is the QSA remiss for not standing its ground or pointing this out? Absolutely. But as we have seen, merchants and service providers sometimes forget that they are still ultimately responsible for their own PCI Compliance. Once they have that compliant ROC, sometimes they run around their campus triumphantly waving it in the air as they dodge cubes in Prairie Dog Land.

Sit back from a moment and think about all those situations where you have pushed back on assessors. Depending on the items they reversed their position on, you may be in one of those situations where a breach is going to sneak up on you. Is compliance with PCI a guarantee that you are immune to breaches? Most (including the panel and all of the audience members agree) that it will not. Instead, implementing PCI correctly and layering security on top will give you the best shot you can get.

Remember, if you are able to convince your management to take security seriously, and responsibly use your position as a security expert to recommend controls that are good, cost-effective, and relevant to the organization, you will have a much better shot at preventing that breach.

This post originally appeared on

Possibly Related Posts: