Directed to lie/mislead about about PCI data security compliance at work?
I am the lead network administrator for a company that takes credit cards via the web and phone for large Fortune 500 customers. Since a lot of our clients are publicly traded companies or financial institutions they often require us to be PCI compliant (security standard to help prevent credit card fraud). http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
As it relates to me being a network admin we have to secure our physical network externally as well as our web-based credit card processing sites at an application level. Right now our web sites cannot pass the PCI external scanning requirements. If we or a third party run a test scan against them they fail several key measurements of security due to bad coding, etc. If I tighten down the security to get it to pass the test, it will;, however, the sites wont work for even placing orders! lol
Thats the problem - the IT Director and CIO are under a lot of heat to get us PCI compliant, but honestly they are just really bad managers on the whole and give little communication/direction to their employees. My boss (IT Director) had be tighten down the security just for a 3rd party PCI auditor to do a external scan so it would show passed then we had to immediately turn it off since these tighter security settings take down our sites. Now they are running aroudn the company broadcasting how we are meeting these security standards and telling all of our clients we are PCI compliant, but I know damn well today we are not. Through proper planning, testing, and execution yes we could be and most people could, but as you can see this did not happen.
My big issue with this from a moral standpoint is I was instructed to partake in what I consider to be a dishonest act. In business and sales I am fully aware that the truth sometimes has to be bent to a near breaking point to accquire business, but the way this played out leaves me with a guilty concious. Both people internally and externally are going to be lied to and have been already. Can we become legitimately PCI compliant? Yes….. but not like this. Now that they got their passed scan in no one but me really even cares are truely becoming compliant.
I think if we were a publicly traded company this would be illegal, but we are a private company. I fear if I take this to HR I may get fired by these same bosses. Since we are an at-will state for employment and I cannot tell this is breaking any federal law then I would have no action against them.
Please advise!
Like this post? Subscribe to my RSS feed and get loads more!
2 comments
Let me steer you on May 3, 2010 at 8:42 pm
Find another place to work. If you get in bed with con artists, you’ll wake up in the clink. When they get caught, they’ll blame it all on you and say you were the lead network administrator and it was your job to insure the network was PCI compliant.
Eventually, someone will steal and use a bunch of credit card numbers from one of your sites, and then you will be the one in the hot water.
Find a reputable place of employment.
Mandi on May 3, 2010 at 8:42 pm
First and foremost, your morality should come first. That is what you’ll have left to deal with when all is said and done. I work in an escalated queue at a major credit card processor. Regardless of whether or not your company is PCI compliant, you as the merchant are 100% liable for any credit card fraud related to purchases made with your company. If your PC processing systems leak credit card info and VS/MC find out you were not PCI compliant at the time, you may be subject to fines that outweigh your companies worth.
Quote from http://usa.visa.com/merchants/risk_management/cisp_overview.html#anchor_7
Compliance Fines.
"If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member. Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance."
As far as your credit card processor is concerned, they may discontinue service as well without warning should they discover such an occurrence and ensure that you cannot process credit cards for a time to come. My advice is to contact your merchant services provider and honestly advise them of your current situation. I answer peoples questions like this quite frequently and can assure you that credit card processors will bend over backwards to keep you processing. They should be able to get you the resources necessary to get you fully compliant or extend your deadline for completion. In regards to personal liability, should you decide to go thru with this scam…. Get a lawyer;)