Card Industry Security Standards Draw Heat From Congress
In a reflection of the issue's steadily rising profile, the March 31 hearing was held before the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology; the overall committee mood was one of dissatisfaction and criticism.
"I don't believe that PCI standards are worthless," said Rep. Yvette Clark, (D-N.Y.), who opened the hearing. "But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not."
Chief among the legislators' concerns was the fact that two of the biggest breaches had taken place at PCI-compliant retailers and processors.
Clark suggested better encryption of data, more frequent updates to the rules to keep up with constantly shifting criminal tactics and new technologies for preventing identity theft like chip and PIN cards. Visa has opposed chip and PIN technology in the past because of cost and it would only provide protection at point of sale terminals. Countries that have adopted chip and pin technology often see online card fraud grow rapidly.
Behind the legislators' expressions of concern was a looming threat of legislation.
Rep. Bernie Thompson (D-Miss.), the Homeland Security Committee chairman, suggested that the card companies had only written the data security standards to shift blame to retailers and partners rather than actually preventing card fraud.
"I'm concerned that as long as the payment card industry is writing the standards, we'll never see a more secure system," Thompson said. "We, in Congress, must consider whether we can continue to rely on industry-created standards, particularly if they're inadequate to address the ongoing threat."
A few retailers at the hearing also criticized the standards, claiming they were too expensive, too confusing and inconsistent.
Michael Jones, the chief information officer at Michael's, testified that the PCI rules were "expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement."
"The PCI Security Standards Council was allegedly spun off from the credit card companies and set up as an independent governing body of credit card company, bank and merchant representatives," Jones said. "In fact, the council is set up so that the credit card companies and banks retain all power over the ultimate standards, fines and anything else connected to PCI. Because of this, the standards do not represent what is the best security but rather what is best for the credit card companies and their financial institution partners."
Jones argued that the rules were sloppily written and designed to shield card companies from blame. In some cases, he said, card companies required retailers to store more credit card information than is necessary, increasing the risk of data theft. He also pointed to financial services firms that aren't prepared to deal with encrypted transaction data, forcing retailers to send the transactions unencrypted and exposed to potential data thieves.
In the past, some card data breaches were exacerbated because retailers were holding onto card security data that the card brands said never should have been kept.
But National Retail Federation Senior Vice President and Chief Information Officer David Hogan said retailers are required to produce a card receipt when purchases are disputed. If the retailer can't produce the receipt, the card companies issue a charge-back, and the amount of money in question is deducted from the retailer's account, even if the transaction was legitimate, he maintained.
Hogan told the subcommittee that NRF in 2007 proposed to the PCI Security Standards Council that retailers no longer be required to store credit card numbers. Under the proposal, Hogan said NRF recommended that retailers should have the option of letting card companies and banks store the information instead.
Retailers that choose to participate would only have to keep a transaction authorization code and a truncated receipt without the customers' full credit card number. Credit card companies would agree to accept the code and truncated receipt as proof of any disputed purchases. Doing so would eliminate the risk of hackers stealing data from participating retailers because they would no longer hold the information, he said, but the proposal has never moved forward.
Like Hogan, Jones cited faults and contradictions in the PCI standards. For example, the standards require that data be encrypted, but makes an exception for data on private networks, and requires that data be unencrypted when sent to a retailer's bank because the banks aren't equipped to accept encrypted data.
Executives from the payment card industry countered that more stringent rules and new technological requirements could be costly for small merchants.
"Encryption is an expensive proposition," argued Robert Russo, director of the PCI's Data Security Standards Council. "If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately."
Which is why it would be better not to hold the data at all, Hogan argued.
"All of us-merchants, banks, credit card companies and our customers-want to eliminate credit card fraud," Hogan said. "But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them." --email@example.com