as if the state of pci wasn’t confusing enough

Posted on by michael

As if the state of PCI wasn’t confusing enough, here is a piece from ComputerWorld that basically makes my head explode:

A Gartner Inc. analyst is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. not to switch to other payment processors just because of Visa Inc.’s decision this month to remove Heartland and RBS WorldPay from its list of service providers that are compliant with the PCI data security rules.

and later this:

Visa requires all entities that accept credit and debit cards issued under its name to work only with service providers that comply with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS).

But in a research bulletin issued yesterday (download PDF), Gartner analyst Avivah Litan said that customers can continue to utilize Heartland and RBS WorldPay without facing any fines from Visa.

My first reaction is, “So why the hell does PCI (or the PCI certified listing) matter?” Yes, I understand companies and people make mistakes and honestly this may not be reason to jump ship from an entity, but this certainly questions the relevance of PCI listings.

Well, we’ll make an exception to our own rules saying you need to work only with service providers that are certified?

They’re going to be recertified so stick with it for a bit? Are you sure? And what if they lapse at “a point in time” again?

PCI was not at fault because while HPS was certified at a point in time, it did not maintain that certification at every point in time? (Wow, that could be the infinitely defensible weasel-out card!)

By the way, their delisting is just a point in time thing, just wait?

So, we have this PCI certified listing that PCI itself wants you to adhere to, but if someone drops off, don’t worry about it because they’ll recover. Is there *any* reason left to worry about someone not appearing on that list or being delisted? Which is worse?

And I like the irony (?) of another recommendation in the same Gartner report:

All parties that handle cardholder data: Focus on maintaining continuous cardholder data security, rather than on achieving PCI-compliant status.

No shit? But isn’t that the “do it yourself all the time” attitude what keeps/kept us in a mediocre state in the first place?! It obviously does not work broadly, so we need a kick in the junk by something with steel toes. But do we really need limp steel toes too?