Sunday, April 05, 2009

Congress, Retailers Slam PCI Standards

Forbes.com reports that "In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted."

Accordingly, in a hearing last week, the House of Representative's Committee on Homeland Security took aim at credit card companies like Visa and MasterCard, which are responsible for creating and enforcing the Payment Card Industry (PCI) standards that failed to prevent those breaches.

"Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies."

"'I don't believe that PCI standards are worthless,' said Rep. Yvette Clark, D-N.Y., who led the hearing. 'But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not.'"

"Clark called for changes to the standards that included better encryption of data, more frequent updates to the rules to keep up with constantly shifting cybercriminal tactics and new technologies for preventing identity theft like 'chip and PIN' cards--a system currently used in Britain that checks personal identification numbers against a tiny microchip in the card itself.

"Behind those recommendations loomed the threat of legislation. Rep. Bennie Thompson, D-Miss., the Homeland Security Committee's chairman, suggested that the PCI rules were written by card companies to shift blame to retailers and partners rather than actually preventing cybercrime.

At last week's hearing, retailers offered their own criticisms of those standards. Michael Jones, the chief information officer at the retail company Michael's, testified that the PCI rules were "expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement."

He argued that the rules were sloppily written and designed to shield card companies from blame. In some cases, he said, card companies required retailers to store more credit card information than was necessary, increasing the risk of data theft. He also pointed to financial services firms that aren't prepared to deal with encrypted transaction data, forcing retailers to send the transactions unencrypted and exposed to potential data thieves.

Representatives from the payment card industry countered that more stringent rules and new technological requirements could be costly for small merchants. "Encryption is an expensive proposition," argued Robert Russo, director of the PCI's Data Security Standards Council. "If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately."

No comments:

Web Analytics