Spam is one of those things we have grown to live with; right up there with junk mail and infomercials.  When we think of spam we usually imagine a Nigerian 419 email or something more sexual in nature.  But today I received a spam message that topped the list of niche markets — PCI spam!

The following is an email I received that purported to help you achieve PCI compliance.pci_spam

This initially looks like a legitimate company that is trying to sell some snake-oil and make a buck on the uninformed small merchant, but it’s actually much worse.

It seems PCI has become so popular that even phishers and spammers have begun to capitalize on it, ironically stealing your credit card number under the guise of helping you become PCI compliant.

By the time I clicked on the link the URL ( did not resolve, but a quick WHOIS lookup revealed the domain for what it was.  Under the list of DNS servers it says:


Sigh.  It seems there is no place sacred from phishing and spam.  Worst of all, it’s meant to exchange your credit card number for PCI compliance.  Perhaps we need PCI DSS Requirement #13: Do not use your credit card to pay for PCI compliance.