The problem is not Visa removing a company that is not compliant from its compliance list (note that MasterCard hasn't. More on that in a moment). The problem is the perception that Visa is doing this as a kneejerk reaction to a breach—this de-list first, ask questions later approach—not because it established anything concrete and specific.
On Sunday (April 1), Visa officially removed Global Payments from its PCI compliance list. (You thought you were compliant? April Fools! You no longer are.)
This is Visa's official statement: "On March 30, Global Payments publicly disclosed unauthorized access into a portion of its processing system, resulting in the potential compromise of payment-card account information from all major card brands. Based on Global Payments reported unauthorized access, Visa removed the company from its registry of PCI DSS-validated service providers. Per our normal process, Visa has asked Global Payments to revalidate its PCI DSS-compliance. The PCI DSS has proven to be a highly effective foundation of minimum security standards when fully, correctly and consistently implemented across all systems handling cardholder data."
When asked if there were any reasons—beyond the fact that the processor was breached—that Visa made this change, such as Visa being aware of false statements or incomplete answers Global Payments might have given to its QSA or if it had changed anything since the last assessment, Visa spokesperson Sandra Chu on Wednesday (April 4) said: "The investigation is ongoing, so there are no details I can share. We've asked them to revalidate and, in the meantime, given the obvious questions, we've removed them from the list."
Related Column From Walter Conway: Visa To Global Payments: Strike One, You're Out
There always exists the possibility that Visa is, indeed, aware of information that would justify Global Payments being removed from the list. But the statements to date seem to reinforce the idea that this was solely because of a breach having happened.
Note that this is a sensitive matter, but Visa could have easily addressed this without revealing anything. For example, something like this would have likely cleared the lawyers: "There were reasons beyond the breach merely having happened that prompted our decision. We can't reveal what those reasons were, but rest assured that we didn't take this action solely because of bad guys getting through."
The explanations offered to date from Visa reinforce the fears of every retail IT security exec who is desperately trying to justify all of the time, effort and money being spent on PCI compliance.
The fear is that PCI compliance only exists up to the moment it's needed. PCI doesn't deliver security, of course, because it's only an entry-level checkpoint. Besides, retailers could implement all of those best practices without the headaches associated with repeated compliance exercises.
Avoiding fines, although nice, is rarely a huge concern among the major chains. No, the real reason to be compliant is to have that declaration in case you're breached, something the lawyers can use when fighting off class-action lawsuits, something the board can point investors to and something PR can point customers to. Why spend all of that money with the QSA process if you're automatically—and retroactively—declared non-compliant when any breach happens?
On the breach itself, Global Payments is now saying it was limited to North America and the number of card numbers taken was fewer than 1.5 million.
"The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and Social Security numbers were not obtained by the criminals," the statement said. "Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained."
Now, back to the problem with Visa having thrown Global Payments off the PCI compliance list so quickly. Let's say a homeowner has done everything within reason to protect her home: state-of-the-art monitored security systems, triple redundant protection throughout the house, bars on every locked window, steel door reinforced with high-security deadbolts, armed guards patrolling the premises 24x7, etc.. That doesn't mean a clever, persistent and well-financed burglar couldn't still break in.
The point? Just because someone breaks in doesn't necessarily mean the homeowner was at fault for not adequately protecting her property. The same is true for retailers and processors.The point? Just because someone breaks in doesn't necessarily mean the homeowner was at fault for not adequately protecting her property. The same is true for retailers and processors.
QSAs are dedicated professionals. It is fair to assume that Global Payments went through months of questions, probes and authentication mechanisms. What does it say about the system that Visa is so quick to simply assume that the QSA must have screwed up or otherwise missed something?
MasterCard told the Journal that it had not removed Global Payments from its PCI Good Boys List and that it wouldn't until it saw the results of an independent forensic investigation. I hate to say this, Visa, but MasterCard is showing you how it's done.
We've seen this revisionist history move by Visa before, most recently with Heartland. It stems from an Orwellian attitude that PCI is a perfect security mechanism. Therefore, if someone was breached, they must have violated a PCI rule. The possibility that the thief could have figured out a way around the minimal PCI security safeguards is dismissed, as is the possibility that someone could have done nothing wrong and still be breached.
PCI compliance really must be based on intent and best effort. Otherwise, why should anyone bother if the support is yanked whenever it's needed?
This also places Global Payments' retailer customers in an awkward position. Technically, they need to use compliant processors. Does this throw the merchants into limbo?
What's next? If a merchant using Global Payments gets hit as a result of the processor's breach, will Visa say that retailer, too, was never PCI compliant because it wasn't using a compliant processor? ("Hey, they were compliant when we hired them.")
Visa is almost certainly going to let retailers continue to use Global Payments during its review period. And that also makes a mockery of the PCI system. If it's so critical to use a compliant processor, why waive that rule now?