KillerSites Blog

PCI Compliance Security Scam – Podcast

November 1, 2010


The following article and podcast is based on my personal experience and opinion, as web application developer and web entrepreneur.

Let’s start with the basics, what is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

… So if you are processing credit cards and you take credit card information on your site, you are then subject to the edicts of PCI compliance.

Now on the surface this may sound like a good idea, but in practice, I am seeing something akin to the Y2K scam of the year 2000, where many companies paid big money ($$) to protect against the non-existent threat of Y2K. Again, my opinion as a programmatic nerd.

🙂

… Ahh Y2K, many of fraudulent fortunes were made in those days!

PCI Security Server Scan/Scam

So being a proud holder of a merchant ID (so I can process credit cards directly) I fell under the oppressive thumb of the PCI compliance industry. Besides answering yes to a whole slew of questions that had ZERO relevance to my company because of how we do things, I had to subject my server to the PCI compliance scan.

PCI Server Compliance Scan … cough … Scam

Looking to profit from this boondoggle, we now have a bunch of companies that will happily scan your server for vulnerabilities – for a fee of around $200.

How this Security Scan/Scam works:

So basically, they point their scanning robot (kinda like a search engines robot) to try and find holes in your server. Holes that can be exploited by people to say … steal credit card information being stored on your server.

… Funny, I tried explaining to the powers that be, that I had NO credit card information stored anywhere. So scanning to see if my databases were secure or not was a waste of time. But alas, my pleadings in common sense made no difference – they still had to check my database for vulnerabilities. It was important to do so, because not scanning my server might cost THEM money in unrealized scanning fees.

So how did my scans turn out?

I am getting too tired to write this out … so listen to my podcast on PCI compliance for the details about the scan and to get my analysis of the overall process.

A Quick Summary.

But just in case you can’t listen to the podcast, the scanning was a sham:

  1. Where the results sighted many POTENTIAL security threats that were one in a million! Kinda like saying you shouldn’t use an umbrella with metal rods in it because you were in danger of a lightning strike.
  2. Some supposed high security threats would essentially mean the disabling of key functionality if I were to actually implement the required changes.
  3. I ran several scans on the server (without changing a thing between scans) and got very different results!
  4. Finally, the first failures I got were because they could not get into my server – because of my firewall. I had to white-list their scanning robot so they could actually penetrate my server’s security (otherwise they failed me) … but which then caused me to fail their test because my ports where open … ironically because I opened them for their robot!! This failure in logic did not seem to click with their support staff.

How to defend against this scam of PCI compliance?

If I were a small to medium sized company, I would strongly suggest using a 3rd party processor like Paypal and offload the actual credit card data processing to their servers. This way you will avoid the PCI garbage.

Stefan Mischook
www.killersites.com