I just got off the Global Payments
call where they talked about their breach. Their breach seems to be very different than the one Visa issued an alert on. Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments only reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.
Sounds like there's a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about.
In the meantime, Global Payments – which was PCI compliant at the time of its breach – is no longer PCI compliant, and was delisted by Visa. Yet they continue to process payments.
What's the takeaway on PCI? The same one that's been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.
This article was originally published on the Gartner
website, and is used by permission. Avivah Litan is a vice president and distinguished analyst in Gartner Research. Her area of expertise includes fraud detection and prevention applications, authentication, adaptive access management, identity proofing, identity theft, and other areas of information security and risk. She also covers the PCI compliance program and the security aspects of payment systems.