Skip to main content
CrankySec

When The Mafia Comes Knocking

Let's come out swinging: the PCI SSC is a racketeering outfit that should be slammed with at least 30 RICO charges from the US Department of Justice. Think about it for a second, boys: you have a business, you accept credit cards, you pay a fee for every transaction, you pay rent on the little card readers and you are on the hook for the security of data that don't even belong to you? Fuck that, capisce?

Quick recap if you're not familiar with the Payment Card Industry family of security standards: these are security standards written and mandated by the Payment Card "Industry" Security Standards Council, a friendly organization comprised of mom & pop shops like Visa, Mastercard, American Express, and JCB. If you do anything with payment cards, you need to comply with this fucking thing. Yes, even the corner store you go to get your Pabst Blue Ribbon you fucking degen hipster stuck in 2006. Not only that, they have to do that every fucking year, while trying to decipher what in the name of shit is an SAQ B-IP, and how's that different from an SAQ A-EP. If you're selling a lot of stuff, you are even required to have a "specialized" kind of auditor from a "specialized" kind of company come in every year to make sure you're deploying the necessary resources to protect data that belong to a bank with trillions of dollars in assets.

This is fucking important: the payment card cartel wants the businesses to spend time and money protecting data they don't own (or even need) in order to reduce the liabilities of giant financial corporations. And lest we forget, the businesses are already paying money to these racketeers on every transaction.

If you're over a certain (and arbitrary) threshold of payment card transactions per year, you have to pay a QSA company (who pays the Council for the honor of being "qualified") to assess your compliance. You'll also need to hire an ASV company (who pays the council for the honor of being "approved") to run vulnerability scans on ya, and, if you don't have that expertise in house, someone to pentest your ass. Again: all that to protect data that don't belong to you or even your customers. That's right, my guys: your credit card number is not your data. It belongs to the entity issuing the card.

There's a whole ecosystem out there to support this extortion enterprise industry: QSA companies, ASV companies, consulting companies, a billion vendors that will try and sell you some bullshit compliance-in-a-box product, etc. Some will even be the same company! I hear you saying "Wait, Scar... Isn't getting paid to help a company achieve compliance and getting paid to verify compliance a conflict of interest since the company in question would be assessing their own work?" To which I reply: "LOL. Are you new here or something? Catch up, bro!"

Sidebar: This shit is very lucrative. The demand for QSAs is extremely stable, and the revenue recurring. Everyone who deals with payment cards have to do it one way or another, and they have to do it every year. It also helps that a QSA company can go in, find a bunch of issues, and inform their clients that those issues can be solved by products and services that QSA company just happens to sell. One company used to be the big dog in this industry until they got acquired by a foreign tech conglomerate, which made the owner of said big dog a very wealthy man. Obviously, the foreign conglomerate fucked it up, and the wealthy man just said fuck it, and started the same company with a different name, doing the same thing, with a lot of the same people working for him. It's amazing how things work, eh? Next step is to find another fool to buy your company, become very wealthy x2, rinse and repeat. I'm sure you know the name of the company I'm talking about.

Obviously, the QSA company has absolutely no incentives to fail anyone. If they don't give you a passing grade, you'll just find another QSA who will. Lots of options out there, really. As long as the costs of payment card fraud are far away from the issuing banks, the Council doesn't give a shit. As long as the responsibility for dealing with payment mechanisms invented in the fucking 1950s is someone else's problem, we're good! Don't want to play along? Payment card companies will tell their enforcers (street name: acquirers) to break your legs politely inform you that you'll be fined and/or won't be able to accept payment cards until you pay protection money are able to demonstrate compliance.

And that brings me to the final piece of this shit puzzle: the people who have to go and do these assessments. They're also called QSAs, and becoming one is not easy! JK. It is pretty easy. Alls you gots to do is work for a QSA company, take a 2-day class, pass a silly test, and that's about it. But how can they make sure the QSA prospects know anything about cybersecurity at all? Well, reader, you just fucking outsource that problem! To become a QSA, one must first be anointed by the glorious cybersecurity professional gatekeepers at ISC2, ISACA, et al. I'll tell you right now: the absolute vast majority of QSAs are morons. I cannot overstate this. Every time I had to deal with a QSA I ended up explaining the basic concepts of information security operations to them, the arcane knowledge called "key management", and the ultra complex idea of meeting the intent of a fucking control.

Then again, we need to participate in this circus, otherwise the whole "industry" collapses. Sensing a theme here? Something like "A bunch of idiots run the show, and I need to play along if I want to keep my job. Fighting over this will get me nowhere, and will backfire because no one should even hint that they know more than their betters. We're the help and we should know our place in the pecking order!"

Shut up, slug

Your CISO

In the immortal words of Steven Gonville Toast, "fuck that sky-high."

P.S.: I see your emails, boys and girls. I reply to them. I am serious about the co-op. Until I get a Discord going, you know where to find me. Share this shit with your bros and let's turn this industry upside down. Or, at the very least, let's make fun of these CISO fucks who think too highly of themselves. Those bridges are not going to burn themselves.

P.P.S.: Our is live.