This is page 2 of:

Visa Yanks Global Payments’ PCI Compliance. Catch-22 In Full Force

April 1st, 2012

The point? Just because someone breaks in doesn’t necessarily mean the homeowner was at fault for not adequately protecting her property. The same is true for retailers and processors.

QSAs are dedicated professionals. It is fair to assume that Global Payments went through months of questions, probes and authentication mechanisms. What does it say about the system that Visa is so quick to simply assume that the QSA must have screwed up or otherwise missed something?

MasterCard told the Journal that it had not removed Global Payments from its PCI Good Boys List and that it wouldn’t until it saw the results of an independent forensic investigation. I hate to say this, Visa, but MasterCard is showing you how it’s done.

We’ve seen this revisionist history move by Visa before, most recently with Heartland. It stems from an Orwellian attitude that PCI is a perfect security mechanism. Therefore, if someone was breached, they must have violated a PCI rule. The possibility that the thief could have figured out a way around the minimal PCI security safeguards is dismissed, as is the possibility that someone could have done nothing wrong and still be breached.

PCI compliance really must be based on intent and best effort. Otherwise, why should anyone bother if the support is yanked whenever it’s needed?

This also places Global Payments’ retailer customers in an awkward position. Technically, they need to use compliant processors. Does this throw the merchants into limbo?

What’s next? If a merchant using Global Payments gets hit as a result of the processor’s breach, will Visa say that retailer, too, was never PCI compliant because it wasn’t using a compliant processor? (“Hey, they were compliant when we hired them.”)

Visa is almost certainly going to let retailers continue to use Global Payments during its review period. And that also makes a mockery of the PCI system. If it’s so critical to use a compliant processor, why waive that rule now?


5 Comments | Read Visa Yanks Global Payments’ PCI Compliance. Catch-22 In Full Force

  1. Chris Says:

    So PCI compliance can not guarantee that a provider will not be breached, but a breach is inherent evidence of non-compliance? Any comment from VISA as to whether they will continue to accept ROCs prepared by Trustwave? Seems like an inconsistent position.

  2. Thu Says:

    Global Payments reported they were working toward being in compliance with PCI, despite already being on the list. In a backwards way, they admitted they were not previously in compliance. We can’t really say that a breach is inherent in these type of situations without having a full investigation report. That’s one reason why MasterCard is waiting to see what forensics finds before yanking them from their list.

  3. Steve Sommers Says:

    In the past, Visa has stated, “No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach.” This quote can be taken two ways. Either PCI is perfect and all-encompassing and compliance guarantees you won’t be breached; or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way — and interpretations among QSAs vary so much — as to make it impossible for anyone to be 100 percent compliant 100 percent of the time. From the simple fact that Global was breached, PCI non-compliance was already a fait accompli. My hope is that someday the card brands, law enforcement, and the media will prosecute the hackers and thieves as harshly as they prosecute merchants, banks, and processors for non-compliance.

  4. Biff Matthews Says:

    PCI, TSA, IRS – obviously none of these functions as intended or as promoted. I’ve said it before and I say it again, hackers are free of personnel, budget, expertise, infrastructure and time constrains. Nothing, NOTHING, is ever fully safe. Visa and its attorneys simply choose to hide behind the false sense of security of the PCI veil. Truth be known, Visa has probably been hacked. Anyone see the similarities between VISA and the wizard of OZ?

  5. Steve Sommers Says:

    This begs the question, how does this decision by Visa affect Third Party Processors (TPA’s)? Our TPA agreement has wording to the effect that we can only send CHD to PCI compliant processors and banks. Now that Visa has deemed GPS non-compliant, are we breaking our TPA agreement by allowing our customers to continue using GPS?

Leave a Reply

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.