http://blog.magtek.com/index.php/2012/02/occupy-pci/ The Official Blog of MagTek, Inc. Fri, 17 May 2013 21:05:21 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://blog.magtek.com/index.php/2012/02/occupy-pci/#comment-99 Paul Wed, 28 Mar 2012 17:41:08 +0000 http://occupypci.com/?p=54#comment-99 Finally, someone brave enough to speak the truth about the fraud of PCI. Our QSA (Qualified Security Assessor) kept telling me to keep my mouth shut if I ever wanted our software to be PA-DSS certified. Don’t make waves, just comply or say you complied, with the asinine rules. I eventually realized that PCI compliance is not about security or fraud prevention, it is about pretty reports that deflect liability down the credit card processing chain away from the Card Brands towards the merchant. Once I understood the PCI-SSC’s true goal, it made the certification process much easier. Why are more companies not complaining about PCI? In a word, fear. We are being judged by the PCI-SSC with no ability to appeal to a higher authority. If you piss someone off at the PCI-SSC, they can just forget about your application for six months while you quietly go out of business. Just pay the tens of thousands of dollars to make the pretty report, pay the PCI-SSC their blood money, and shut up. All of this just to try to protect information that is completely unencrypted and static sitting on the front and back of a credit card, ridiculous. It is tantamount to all of us building a thirty foot razor wire topped fence and then having the Card Brands leave the main gate open. Finally, someone brave enough to speak the truth about the fraud of PCI. Our QSA (Qualified Security Assessor) kept telling me to keep my mouth shut if I ever wanted our software to be PA-DSS certified. Don’t make waves, just comply or say you complied, with the asinine rules. I eventually realized that PCI compliance is not about security or fraud prevention, it is about pretty reports that deflect liability down the credit card processing chain away from the Card Brands towards the merchant. Once I understood the PCI-SSC’s true goal, it made the certification process much easier. Why are more companies not complaining about PCI? In a word, fear. We are being judged by the PCI-SSC with no ability to appeal to a higher authority. If you piss someone off at the PCI-SSC, they can just forget about your application for six months while you quietly go out of business. Just pay the tens of thousands of dollars to make the pretty report, pay the PCI-SSC their blood money, and shut up. All of this just to try to protect information that is completely unencrypted and static sitting on the front and back of a credit card, ridiculous. It is tantamount to all of us building a thirty foot razor wire topped fence and then having the Card Brands leave the main gate open.

]]>