Thursday, January 28, 2010

REAL PCI Compliance Percentages?

Reading "UK Security Breach Investigations Report 2010" [PDF] (source) makes for some truly blood-curdling reading.


"Prior to having suffered a cardholder data compromise, 26% of the organisations had believed themselves to be PCI DSS compliant upon submission of completed
Self Assessment Questionnaires. The investigations also revealed that none of the organisations met all requirements of the PCI DSS."

This is how it starts. It is all downhill from there:

"Indeed, in just over one quarter of the cases, none of the twelve requirements were met."


"7Safe has found that all the merchants who have been subject to a breach and have completed an ASV scan
have believed themselves to be secure based solely on the results of this scan"

I literally cannot read any further, since I am starting to get angry! Can somebody come and kick those merchants in the balls, please? Actually, no. Do not kick them! Stand on their balls. :-)  Then have then buy our book!

Dr Anton Chuvakin