Home Depot, Target and PCI-DSS

What do Home Depot, Target, and a slew of other merchants (Jimmy Johns? idk) who are compromised but don’t know it yet have in common? PCI-DSS Compliance.

this means sweet fuck all

top fucken lel

Theroetically, PCI-DSS is being pushed by the major payment card brands as a way to ensure that merchants who accept payments via credit card at least implement a baseline of security controls across their infrastructure, and ensuring that merchants and service providers have controls in place to prevent credit cards from being compromised, and to respond appropriately when it is.

Realistically, in 90% of cases PCI-DSS is a joke. The merchant lies to the Auditor because they want to get PCI-DSS over with, the Auditor fudges the audit to help people pass the line, because if they don’t, someone else will, and the Audit itself is useless from a technical perspective because the merchant got the cheapest penetration tests available.

Following Home Depot’s compromise, there was an excellent Reddit discussion, where it was pointed out that the PCI auditor is typically completely outmatched by attackers. This, too, is true: I don’t know a single “technical person” who wants to seppuku their technical career with PCI, or a single QSA who has the freedom to go and explore their technical interests because it’s generally “oh, you can do PCI? yeah we need a QSA, enjoy doing PCI all the time”.

Everyone is at fault here, from the PCI high council which making an incredibly pedantic and strict standard which allows so little leeway for interpretation, to the QSA companies who race to the bottom of the barrel at the cost of quality, to merchants who don’t take security seriously and just want PCI to go away.

Funnily enough, PCI works if you take it not as a standard which you must pass, but a baseline indicating which areas of security your organisation should look at as a starting point (all the while, coming up with your own security standards which fit your organisation).

PCI needs to change, and desperately so, because right now, PCI Compliance typically means next to nothing.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.