The first is from SC Magazine, Visa expels Global Payments following 1.5M-card breach:
“What’s the takeaway on PCI?” Litan asked on Monday in a blog post. “The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.”
And the second is from Adrian Sanabria, QSA at Sword and Shield, Global Payments Credit Card Data Breach:
The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.
It’s a doubly-bad violation of DSS to 1) Not be compliant in the first place, and 2) to suffer a loss of cardholder data.
I imagine the reinstatement audit, if there is one, will be quite extensive.