PCI is a beast, and continues to blot out the sun with its harpy wings, wheeling in the desert sky, slowly waiting to pounce on the weak. Between concerns over requirement 6.6, code reviews, WAFs, and so on…where will this lead us? Let me play annoying Devil’s Advocate a bit.
Well, if you’re a web development shop, why go through all the friggin trouble? Rather than process and store any payment information, hire out to someone like PayPal. When you’re ready to check out, click the PayPal button which transfers you over to the PayPal site along with whatever transaction information you need. User logs in there, performs transaction there, and completes it there. Let the PayPal-type sites deal with PCI.
This way, every web dev shop won’t need a WAF or layers of security or code reviews. Not that I think they should all ditch such efforts, I just feel such efforts are too idealistic for our economic world. I know I’ve yet to hear a developer or developer manager who has any interest in spending effort, time, or money on an SDLC beyond what it takes to roll out product faster and with higher quality (quality not being defined in terms of security other than the most basic stuff like SSL support).
Of course, this means that while web shops won’t process your credit information or store it, they can and likely will store everything else about you. But, hey, that doesn’t fall under PCI!
I have a friend at a F500 retailer who, to this day, is confused as to why they have to do anything with credit card information at all.
Why should the infrastructure be the retailer, as you ask? Heck why should it be Paypal? Why not the card companies themselves?
Because PCI is all about risk, but not in the way most people think. It’s about transferring GLBA risk away from Visa/Mastercard/Discover away from the banks, and down to the retailers.