I agree that the Payment Card Industry Data Security Standard is flawed and unreliable as a breach-prevention mechanism. I applaud your push to advance the processing system and transaction security. But your attempts to place the blame of your security breach on your QSAs, your external auditors, are disingenuous at best. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car. Your role isn t even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI.
Source: https://threatpost.com/open-letter-heartland-ceo-robert-carr-081309/72977/