Consumer credit card data at risk of compromise

Wednesday 01 April 2009 | By Heidi Scott, Gosh! Media Copywriter

On Tuesday 31 March, representatives of the US retail sector told Congress that the self-regulation set up by the credit card giants to protect consumer data sacrifices some security in the name of convenience for the credit card companies and their financial institutions.

The self-regulatory standards were created by the Payment Card Industry (PCI) Data Security Standards Council, a global forum launched in 2006 to develop and manage the PCI Security Standards including the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS) and Pin-Entry Device (PED) Requirements. A Limited Liability Corporation (LLC) chartered in Delaware, USA, the Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

Following recent data breaches that have compromised consumer data – such as the potentially massive 2008 Heartland Payment Systems breach in the US – some members of Congress are questioning whether the PCI Data Security Standards are sufficient to protect consumer information adequately.

At a congressional hearing in Washington on Tuesday, the credit card industry maintained that self-regulation is effective, arguing that – since the PCI standards were published – security breaches have occurred only when an organisation is not fully compliant with the standards. Director of the PCI Data Security Standards Council, Robert Russo, was quoted by CNET News as saying, "I have no doubt that compliance to PCI standards are the best line of defense. We have never found a breached entity to be in full compliance at the time of breach."

Representatives of the retail industry, however, told a panel of the House Homeland Security Committee that the credit card industry had created the PCI standards mainly to reallocate its own fraud costs. Dave Hogan, Senior Vice President and Chief Information Officer for the National Retail Foundation, commented, "In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is. In significant part, [it is] a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."

His argument was supported by Michael Jones, the CIO for Michaels Stores, who stated that the financial institutions that partner the credit card companies do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.

Mr Jones went on to state that it is the unencrypted transfer of such data that can result in breaches such as the Heartland one, or the TJX breach in 2007 that is said to have compromised over 45 million customer accounts. Michaels Stores, Jones pointed out, has been asking for the past three years for the ability to encrypt transaction data.

Robert Russo responded by saying that there is no need to encrypt the information, given other security steps the PCI requests. "Why put merchants through the expense?" he asked.

For the retailers, Dave Hogan said that the PCI Security Standards Council had ignored a number of other recommendations from the US retail industry, including allowing consumers to enter a personal identification number for credit card transactions.

Rita Glavin, acting Assistant Attorney General in the criminal division of the Justice Department, commented that the Council should consider updating its standards more frequently, and should consistently inform federal law enforcement when breaches do occur. She added, however, "Having any security system and uniform systems are going to help. It's a floor and a way to begin the process of preventing breaches."

Back to industry news