AP: Weak Security Opens Door To Credit Card Hacks

Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."

"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."

Representatives for MasterCard, American Express, Discover and JCB — which, along with Visa, steer PCI policy — either didn't return messages from the AP or directed questions to the PCI security council.

PCI's general manager, Bob Russo, said inspector certification is "rigorous." Yet he also acknowledged that inconsistent audits are a problem — and that merchants and payment processors who suffered data breaches possibly shouldn't have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.

The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.