Anton Chuvakin has an interesting post up on how PCI could have possibly failed in the Heartland issue. I had initially planned to avoid talking about Heartland has it has been blogged to death, resurrected and blogged to death again.

Anton gives 5 possibilities as to what could have happened and they are (summarized):

• 1. Bad QSA
• 2. Compliant but a password was set to something simple following the tests
• 3. Non-Compliant but begged for a card brand to say they were OK
• 4. Compliant but hit with malware that bypassed PCI-Mandated Controls
• 5. Compliant but an employee walked out with the data.

After laying out 5 possible options, Anton asks (rhetorically) for comments on "which of these cases indicates that "PCI failed"". I almost commented on his blog but decided instead to write a blog post. I disagree with his opinion that none of these are PCI failures.

I don't know that PCI can (realistically) do much about #2, #4 and #5, but I do believe that PCI has failed if #1 or #3 is the case. I should preface this by saying that I'm a huge supporter of PCI-DSS. While the program may not be enough on its own, it's a start and a start is what we need right now.

The fact that card brands are ultimately responsible for certification is a problem, and ultimately this is a failure on the program ... period. No exceptions, No Mulligans ... do not pass Go, do not collect $200. What good is a certification if the certification group is off to the side and doesn't preside over the final decisions. It reminds me of the various IT/IS certifications and how there are two camps with nearly a 50/50 split on their usefulness, and worse yet, it creates too many "not my jurisdiction" cracks for things to fall through. The SSC creates the DSS and trains/certifies Assessors to audit against a supposedly objective standard that is subjectively governed by 5 different Card brands.

Now the bigger issue (in my mind) ... the "Bad QSA". The existence of "easy grader", "we just look at the docs", "pay per compliance" QSAs is definitely evidence of a PCI failure. QSA FAIL. PCI SSC FAIL. PCI PROGRAM FAIL. This is one of the reasons why "PCI" struggles to be taken seriously by the Security community. nCircle is a certified ASV (I don't think that's a secret (if it is... well now you know :) )). I'm actively involved in the preparation, completion, and ongoing maintenance of our certification. We invest a lot of time and energy to ensure we're as good as we can possibly be ... because we feel that it's important. Subpar audits are not acceptable. If you are barely hitting your mark as an ASV or QSA, you should be gone.

So in the end, yes... there are scenarios proposed by Anton where PCI fails, but that doesn't mean we should disregard PCI or throw it away. It means we should work to solve these problems and evolve the standard to something that works. As long as we in the community give the PCI Security Program a free pass when it falls down, we become a part of the reason for its failures. Criminal and Civil Codes exist so citizens, law-makers, police, judges and lawyers have a common understanding. The PCI Security Program has not yet evolved to provide this common understanding and until it does, there will continue to be instances of PCI FAIL.