A good article that analyzes the situation well and provides the right perspective. I would like to add two observations from personal experience, if I may.

First, companies attempting to be PCI-DSS compliant MUST NOT take the advice of their PCI Auditor (or their firm) on how to remediate preliminary findings. Instead, they should seek the independent advice of domain-experts. There are two very good reasons for this:

1) The Auditor has a conflict of interest when they attempt to provide advice and/or consulting services on how to pass the audit - can anyone say "Enron"?

2) The Auditor is not likely to know the state-of-the-art in a specific security practice and may, therefore, provide advice that could have disastrous consequences on the company that "passed" the audit and now thinks they are safe.

An internationally known, publicly-traded security services company that is also in the business of PCI Audits, has provided two of our clients with advice on PCI-DSS Requirement #3 (Encryption and Key-Management) that is known to be unsafe in the cryptographic community for the last 20 years. The companies insisted on implementing the design proferred by their PCI Auditor and "passed" the audit. They now encrypt CCN transactions and manage encryption keys using practices that students are taught not to implement in Cryptography 101. So much for the clarity of the PCI-DSS and the SSC.

The second observation is with reference to the question raised by the NRF on why merchants should retain credit card data, instead of the banks or credit card companies.

For the simple reason that that is is the way the credit card companies and banks transfer their reputation risk. Given the security and business practices in the industry, even the banks and credit card companies would not necessarily be able to secure this data effectively, cheaply enough. By forcing merchants to retain data and making them responsible for it, they've effectively got attackers going after the "low-hanging fruit" while they keep their name/reputation out of the press as they dole out fines. After all, the party doing the fining cannot be perceived as being wrong in the eyes of the jury (customers), can they?

If the NRF and store-front merchants are serious about changing this business practice, have them go back to what they used to do originally: charge 2-3% more for credit card transactions and incentivize customers to pay cash.

Arshad Noor
StrongAuth, Inc.

Authorized Scanning Vendors (ASV's) do not simulate customer transactions, they perform vulnerability scans on all Internet-facing IP addresses to see whether there any vulnerabilities or gaps that could be exploited by hackers.