By taking the payment processors off its list of certified providers, Visa is “offering a passive opinion of the PCI standard, which is that it doesn’t amount to much in the end,” Schneier said.

I bet if Visa started charging them 1% more on every transaction until they got into compliance it’d never happen again. PCI, from the audits I’ve been through, looks like a list put together by a college intern reading C|Net news articles about break-ins and doesn’t come close to ensuring a secure environment. Unfortunately several of the more baroque requirements, especially in the first versions, lead to high merchant costs and lowered security (e.g. hashed passwords were forbidden, only crypt()’ed was allowed; line-printers required for system logs, etc.). All so Visa doesn’t have to spend money on post-1960′s security!

I wonder if they’ll release details. ‘Malware’ makes it sound like some n00b was using unsecured Windows on a secure network.