Why aren't the Big Four accounting firms among your list of qualified assessors? They were at one point, weren't they?

They had some liability issues that they weren't ready to sign up for. They look at it and say, "This is a small company here which is a QSA. Maybe it's a $2 million or a $3 million or a $10 million business, and here we have a multibillion-dollar business. Our liability is a lot worse." We are doing a couple of things behind the scenes to see if we can rectify that.

We are going more to a risk-based approach type of thing. We want to get them into a lot of these larger merchants, which are already using these guys. They already know these guys [the Big Four] and they want to continue using these guys, as opposed to going out with somebody else. So we are looking at it.

What happens when an assessor certifies a merchant as being PCI compliant and then the merchant gets breached? Does the liability then fall on the assessor?

It depends on what's going on. Being a snapshot in time, the company could very well have been compliant on the day the report was written. But if they were not following their logging rules, or if they were not patching their systems, or not scanning on a regular basis, they could fall out of compliance. That's why the [credit card] brands say you have to be compliant at the time of the breach. Safe harbor depends on whether you are compliant at the time of a breach.

Some people have called the PCI standard too prescriptive. What's your response?

The fact that you say "You have to be secure" is wonderful. But unless you tell people what they really need to do, they only think they are secure.

PCI is prescriptive enough that it tells you exactly what you have to do. I daresay if you open the standard up and show it to any security guy and they don't know it's PCI, [they would tell] there isn't anything there that you shouldn't be doing for security. There are no new concepts, there is nothing strange; we are not making you jump through hoops. These are things you should be doing as best practices.

So I take exception when somebody says it's too prescriptive. Does that mean you just don't want to do it? That it's too hard? That you don't have the time or the money? Because really -- tell me what's in here that you shouldn't be doing.

The recent breach at Hannaford Bros. marked the first time that a PCI-compliant company was compromised. Does that point to a gap in the standard?

Just because they raised their hand and said they were compliant doesn't necessarily mean they were compliant. As you know, compliance is a snapshot in time. You could be compliant and five minutes later you don't apply a patch and you aren't compliant anymore.

I don't know if in fact they were compliant. Did they receive a certificate from somebody that said they were compliant? And if they did, they probably put that in a drawer and they whipped it out and said "Look, we were compliant as of February 27." Yeah well, that was February 27. Where are you now? You've got to be vigilant when it comes to compliance.

I don't know specifically what happened, if anything happened. People are constantly asking me to point a finger. Should I point the finger at Hannaford? Should I point a finger at the [assessor] who did the assessment? Should I point a finger at the standard because something was wrong with the standard? I don't have the answers. When I get the answer, if it is something in the standard, then we'll address it immediately. If it is specific to an assessor, then we'll take action as well.

Does PCI address the issue of theft of data in transit? In the cases of the Hannaford and Okemo breaches, the data appears to have been stolen right after the cards were swiped, and possibly before it was encrypted.

We don't have the information right now. The way the standard is structured at this point it doesn't say you have to encrypt data that is traversing your private network. If it is on the outside, it would have to be encrypted. There are enough controls in the standards as it is written now to protect the inside of the network. So either they were not compliant or something happened on the inside. If we find out something did go awry within the standard, we will address it immediately. Right now, I don't see it. I see the standard as being solid.