
The High Price of “Faking” Your PCI Compliance Status
By Todd Bell
Global IT Security, Setting Strategy & Building Programs,
Rearchitecture Design
Introduction
After further analysis of the three companies that chose to short-cut the PCI Standard, I started to research the common denominators of each company and the attributes they each possess:
- All three companies have had some type of past security breach
- All three companies “self-attest” under the PCI ISA program
- All three companies have had a lot of controversial coverage in the media
- All three companies are considered the best in their industry
- All three companies have had some type of fraud at the executive level as shown in past media reports
- All three companies were using the same Fortune 500 Outsourced Data Center Service Provider (directly and indirectly)
When companies are “faking” their PCI compliance status, it is not only fraudulent activity and a breach of contract with the acquiring banks and payment brands; it is also a breach of customer trust. When employees actively engage in “faking” their companies PCI Status, often it is because of a company culture of leveraging “managerial convenience” over safeguarding credit card data. The top executives of any firm set the tone for the company and contribute heavily to corporate culture. When the behavior by the top includes past fraud among its executive ranks, it permeates down to the rank and file employees as acceptable behavior. Unfortunately, the consumers are the ones who lose in the long-run, because they are the ones at risk. In addition, this is greater risk exposure to the payment brands that have to deal with the financial consequences of potential fraud at a time when swipe fees are at the forefront of controversy.
Over the years, I have met many CIOs and CTOs that have compared the PCI standard and measure their competition or past companies they have worked for and firmly state “they are not PCI compliant, and why is our company being held to a higher standard?” The answer is simple. The PCI Standard is the same for every company and the competing company chooses to operate below the PCI Standard and put their customers at risk. At some point though, the probability of a security breach increases as each year that passes by.
While these three companies may think they are prospering by underscoring their PCI compliance status, they are hurting consumers. The Federal Trade Commission (FTC) will take notice when consumers are at risk of harm. In a past ruling, Dave & Buster’s₁ settled charges that required the company to obtain independent professional audits every other year for 10 years and FTC compliance monitoring on top of annual PCI assessments. This summer, the FTC filed a suit against Wyndham Hotels₂ for three security breaches in less than two years. While no ruling has been made, this will cost Wyndham Hotels thousands of dollars to defend against the suit and it is uncertain if the hotel chain will face steep fines and penalties from the FTC.
While it is easy to criticize these three past companies that I have worked with as a sub-contractor, again I have to ask myself am I culpable. I do accept fault for failing to convince these large companies to do the right thing, but I fell on my sword trying to convince the companies to maintain integrity in the process. Truth be told, there is a sense of failure no matter how hard you try to do the right thing and failure will always cost everyone in the process. I have addressed how it costs consumers, and how it often affects the company engaging in the behavior, but it costs others as well. Often times it costs the consultant their job and then it begins to impact the credibility of the PCI standard itself. In the long run, faking PCI compliance erodes the PCI standard that was put into place to protect consumers, companies, and individuals. Undermining it is no different than allowing a child to cheat their way through every test so they can get that college scholarship – it contributes to a culture of fraud. Let’s say the cheating student does get that scholarship. Because they have cheated on every test, they have to continue to do so first because they lack the basic knowledge of their non-cheating counterparts, but also because they lack the study habits and mental focus they should have acquired in school. They couldn’t stop cheating now if they wanted to: it’s too late. They will cheat until the professor catches them. Once caught, they are stripped of their scholarship and their academic and personal record is tarnished forever. The situation is the same with corporate fraud: while faking compliance may save money in the short-term, the longer the fraud is practiced, the more painful it will be for them to ever gain true PCI compliance. While it may take more time to study to pass the test fairly and it may take more money to gain compliance, like many things in life, the payoff will be well worth it!
References
1. Dave & Buster’s Settles FTC Charges it Failed to Protect Consumers’ Information-March 25, 2010
About the Author

Todd Bell is a revered subject matter expert in the field of IT Security that has made significant and transparent impacts that protect businesses and consumers alike. His impact is evident in the daily lives of people across the world by protecting their most secure information behind the scenes. Consumers who have traveled by land, sea, or air, used a credit card to purchase goods and services, used kiosks or global payment systems, utilized smart phone technology, purchased gift cards, received pharmaceutical information, provided patient data, gambled on-line, banked with major institutions, or provided financial information for lending, there is a significant chance that Bell may have had an impact with the protection of their data.
Bell’s track record keeps him in high demand. Since he took his first CISO position seven years ago he currently works as a Strategic Security Advisor for global institutions and as an Outsourced CISO. His Fortune 500 clients have never had a security breach as a result of his attention to detail, knowing the tough questions to ask, using investigative methods to get proper infrastructure facts, identifying enterprise weaknesses, and utilizing a natural instinct to understand the entire enterprise from top to bottom understanding that securing sensitive data impacts every department. Bell credits his success to the premise that trust & credibility must be established with other executives through accountability and being culturally sensitive to business members across the globe. Bell has managed to overcome time constraints and language barriers while staying focused on business objectives that have earned him “trusted advisor” status with clients as evidenced by his LinkedIn referrals profile.
COMPANY INFORMATION
EC-Council
https://eccouncil.org