VISA PCI Incentives

A new VISA incentive program for payment providers (i.e. “acquiring financial institutions”) caught my interest. You can read an article about it here. The essential detail is that for every merchant out of compliance with the PCI DSS a fine of between US$5000 and US$25000 will be levied onto the acquirer. Conversely, incentives will be paid out for validation of PCI compliance.

I’m all for PCI compliance – it’s really a good set of common sense basic security measures that we should all be implementing in the best interests of protecting customer critical data. And while I’m critical of the way that some of the guidance and standards are put together, the threat of financial penalties can sometimes be a good kick up the rear-end in motivation to put new programs in place.

However, I’m not enthusiastic about an incentive payment scheme – I believe that such schemes have the potential to undermine the standard by turning it into an exercise in achieving the pass mark rather than a serious effort to protect data. For instance, item 1.1.8 of the standard is for a “quarterly review of firewall and router rulesets.” The associated audit procedures directs auditors to “verify that the rule sets are reviewed each quarter.” Such a review of rulesets is certainly an important process to have in place and some might argue that quarterly is not often enough however, how should an auditor verify this? A signature in a log book would probably suffice as evidence but it does not prove that a process is being followed. There are other areas too that concern me, particularly in section 6 on software development and the means of verifying that systems are not vulnerable to various mentioned vulnerabilities such as cross-site scripting and unvalidated input. Now, I have personally seen examples of systems that have been tested by authorised PCI auditors using application scanning tools and been given a clean bill of health only for it later to be found that they contained discoverable flaws that could have resulted in exactly the sort of incident the PCI standard is supposed to be preventing. And even if an auditor does successfully and accurately give an application a clean bill of health then the very next change request could undermine all the efforts.

Security should be adding value for customers – they come back because they know that their data and payment information is secure with you. VISA have their hearts in the right place so instead of incentives on the acquirers, how about a “VISA certified payment provider” stamp on products and some truely verifiable audit procedures? Just a thought!