This is page 2 of:
Visa Yanks Global Payments’ PCI Compliance. Catch-22 In Full Force
The point? Just because someone breaks in doesn’t necessarily mean the homeowner was at fault for not adequately protecting her property. The same is true for retailers and processors.
QSAs are dedicated professionals. It is fair to assume that Global Payments went through months of questions, probes and authentication mechanisms. What does it say about the system that Visa is so quick to simply assume that the QSA must have screwed up or otherwise missed something?
MasterCard told the Journal that it had not removed Global Payments from its PCI Good Boys List and that it wouldn’t until it saw the results of an independent forensic investigation. I hate to say this, Visa, but MasterCard is showing you how it’s done.
We’ve seen this revisionist history move by Visa before, most recently with Heartland. It stems from an Orwellian attitude that PCI is a perfect security mechanism. Therefore, if someone was breached, they must have violated a PCI rule. The possibility that the thief could have figured out a way around the minimal PCI security safeguards is dismissed, as is the possibility that someone could have done nothing wrong and still be breached.
PCI compliance really must be based on intent and best effort. Otherwise, why should anyone bother if the support is yanked whenever it’s needed?
This also places Global Payments’ retailer customers in an awkward position. Technically, they need to use compliant processors. Does this throw the merchants into limbo?
What’s next? If a merchant using Global Payments gets hit as a result of the processor’s breach, will Visa say that retailer, too, was never PCI compliant because it wasn’t using a compliant processor? (“Hey, they were compliant when we hired them.”)
Visa is almost certainly going to let retailers continue to use Global Payments during its review period. And that also makes a mockery of the PCI system. If it’s so critical to use a compliant processor, why waive that rule now?