PayPal – TrustWave – PCI Compliance

PCI Compliance is a necessary evil.

As each release appears it gains more hoops, and thankfully more teeth. It is not a one size fits all approach either - and each scale / implementation / risk has it's own subsection. The Daddy of which is the PCI SAQ D. A joy that I am all to familiar with.

- You secure and audit your platform, and you patch your code in line with vendor recommendations.

- You grant the scanner carte-blanch access beyond any port blocking or IPS defences.

- You account for the services running.

- You fix the vulnerabilities highlighted.

- You false positive those which have a business justification.

- You get that attested by your Authorised Security Vendor (ASV).

- You submit that to your merchant payment processor.

- Job done for another 3 months.

However - PayPal, they have other ideas:   "Your ASV is Trustwave" ... no, no PayPal it's not.

If this is not the case - you will need to call us. Calling us has a minutely rate and a connection fee.

Who will then drag this out, and be surprised when you want means to submit your attested compliance schedule from another ASV before supplying a suitable email address. While I can appreciate this means you have more control and faith in the scanning vendor, if not a degree of automation and saving, as well as having a captive market and pricing, it also reduces choice, and makes sweeping assumptions.

In a world where we want to be collectively more security conscious. Where the notable background hum of the internet is automated compromise attempts. Where sign ups with multiple cards from made up locations is every day. Where the masses give not two fsck's unless it DIRECTLY impacts their wallet. May I strongly suggest that a better route would be to move card fraud back out of civil into criminal (as I understand it) law - and take reported account compromises more seriously.

While the PCI standard holds water, while its goals are amicable, lets have the top of tree playing by the same rules.... or am I getting them confused with "A Bank".

Leave a Reply

Your email address will not be published. Required fields are marked *