Give this a look (random googled checklist):
http://www.bbb.org/d...liant/checklists/
While many examples in the news are bricks and morter, which cracked
point-of-sale systems their current issue, almost all of them
also have web stores as well. So let's use any online store as an example
for this thought exercise.
#1: If they do not charge your credit card before shipping, then they
MUST store it on disk. MUST! And if they partial ship, then they
must be allowed to do multiple transactions as well.
This means an automated system has to be able to read the database
entry that contains the card, decrypt it, and issue transactions.
So, anyone who managed to break into the system that either stores
the CCs, manages the process, or sniffs the wire can copy every CC
in the system. Also, since in-flight data does not need to be encrypted
(at least behind the corporate firewall), then EVERY system on
the network is a potential threat. Every zero day exploit could be
harvesting those CC numbers to forward along.
The checklist format allows a variety of "levels" of adherance, including
"working on it, please check on next review", which means CIOs can
cover their ass by assigning the task to an underling, and then
ignoring it for 6 months. There are people who are named on PCI docs
as the responsible individuals, but they have NO CLUE what the actual
responsibility is. But even when they do, they can point to an external
vendor and say: This is on the list of approved vendors and we have
it running here (but they didn't actually implement the functionality
that they needed) which lets them skate as well.
I've just scratched the bare surface. PCI is nothing more than a
method of allowing CC vendors to claim they care, and companies
to claim they are making an effort. It does NOTHING for actual
security, it just provides a method of passing the buck when the shit
hits the fan.