What do Home Depot, Target, and a slew of other merchants (Jimmy Johns? idk) who are compromised but don’t know it yet have in common? PCI-DSS Compliance.
Theroetically, PCI-DSS is being pushed by the major payment card brands as a way to ensure that merchants who accept payments via credit card at least implement a baseline of security controls across their infrastructure, and ensuring that merchants and service providers have controls in place to prevent credit cards from being compromised, and to respond appropriately when it is.
Realistically, in 90% of cases PCI-DSS is a joke. The merchant lies to the Auditor because they want to get PCI-DSS over with, the Auditor fudges the audit to help people pass the line, because if they don’t, someone else will, and the Audit itself is useless from a technical perspective because the merchant got the cheapest penetration tests available.
Following Home Depot’s compromise, there was an excellent Reddit discussion, where it was pointed out that the PCI auditor is typically completely outmatched by attackers. This, too, is true: I don’t know a single “technical person” who wants to seppuku their technical career with PCI, or a single QSA who has the freedom to go and explore their technical interests because it’s generally “oh, you can do PCI? yeah we need a QSA, enjoy doing PCI all the time”.
Everyone is at fault here, from the PCI high council which making an incredibly pedantic and strict standard which allows so little leeway for interpretation, to the QSA companies who race to the bottom of the barrel at the cost of quality, to merchants who don’t take security seriously and just want PCI to go away.
Funnily enough, PCI works if you take it not as a standard which you must pass, but a baseline indicating which areas of security your organisation should look at as a starting point (all the while, coming up with your own security standards which fit your organisation).
PCI needs to change, and desperately so, because right now, PCI Compliance typically means next to nothing.