Security Curve Weblog: Visa: Not where I wanted to be

January 20, 2006

Visa: Not where I wanted to be

Visa claims to be everywhere I want to be. I'm highly suspicious of this claim, since most of the time that they get involved in something, I usually wind up learning the hard way that I really don't want to be there. This happened to me once again, as I just went through the training and accredidation required to become a Visa QDSP (Qualified Data Security Professional.)

Before I get into this, let me say that it was the content of the class that bothered me, not the format; in other words, the instructor was friendly and presented well, the food was relatively atkins-friendly, and the class got out early both days. In short, most of the things that would usually be a source of major concern in a class were not a problem in this one. But the experience was painful nevertheless.

So why am I so down on the PCI data security standards? Because the claims that it makes are not what it delivers; take an example - early on in the class, the claim was made that the "goal of PCI was to make non-members equal in security posture to members". In other words, Visa members (issuing and acquiring banks) - which don't have to be certified under PCI - already have rigorous security controls. The goal is to make processors, gateways, merchants, etc. equal in posture to members. Sounds like a good goal to me. However, take a look at some of the requirements:

6.3.4 Production data (real credit card numbers) are not used for testing or development
6.5 Review custom application code to identify coding
vulnerabilities.

So, members don't use production data in test? They always review source code in custom applications? Guess again; ask anybody who works in FS and they'll tell you that it's the rare institution that does either of these things. Here's the issue - PCI holds non-members accountable to the standard that banks can't meet for themselves. Holding merchants and processors to a higher standard than banks (the reality of PCI) seems to me to be misplaced energy.

Posted by Ed at January 20, 2006 10:13 PM