AP: Weak Security Opens Door To Credit Card Hacks

"PCI compliance can cost just a couple hundred bucks," said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. "If that's the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need."

For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there's little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.

And retailers with fewer than 6 million annual card transactions — a group comprising more than 99 percent of all retailers — do not even need auditors. They can test and evaluate themselves.

At the same time, the card companies themselves are increasingly hands-off.

Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.

In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.