Congressional Hearing: PCI under fire
Is Chip and PIN on the horizon?
The Payment Card Industry rules are policies retailers must follow to keep consumer credit and debit card information safe. But with data breaches still occurring on a regular basis there are some questions as to how much they protect consumers.
In late March, the U.S. House of Representative’s Committee On Homeland Security’s Subcommittee On Emerging Threats, Cybersecurity, and Science and Technology held a hearing “Do The Payment Card Industry Data Standards Reduce Cybercrime?”
The concern is that stolen credit card numbers are used to fund terrorists. Rita M. Glavin, acting assistant attorney general for the criminal division at the U.S. Department Of Justice, cites one case in Indonesia.
Imam Samudra wrote about the use of credit card fraud and “carding” as a means to fund terrorist activities in his 280-page autobiography. Carding refers to when large volumes of data are stolen, resold, and used by criminals to commit fraud. Samudra sought to fund the 2002 Bali nightclub bombings, of which he was convicted, in part through online credit card fraud.
The consensus from retailers and those representing them at the hearing was that PCI doesn’t work. “Since its inception, PCI has been plagued by poor execution by Visa, MasterCard and the other credit card overseers of the program,” said Dave Hogan, senior vice president and Chief Information Officer for the National Retail Federation. “The PCI guidelines are onerous, confusing, and are constantly changing. Many retailers say that basic compliance is like trying to hit a rapidly moving target.”
Subcommittee Chairwoman Yvette D. Clarke (D-N.Y.) said PCI standards serve a purpose. “But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure,” she said.
One possible solution to stem credit card fraud: entering a PIN to verify each transaction. “Implementation of encrypted PINs for all credit and debit card transactions could be useful,” a subcommittee report stated.
The U.S. is being blown away by security investments overseas, and our 1950’s era system is making us a weak link in the security chain,” Clarke said. “Magnetic stripe-based technology is outmoded and inherently less secure when compared to smart cards or other developing technologies. While I am deeply concerned about our security, the payment card industry and issuing banks should be ashamed about the current state of play and doing everything possible to immediately institute improvements in infrastructure.”
Michael Jones, senior vice president and Chief Information Officer at Michaels Stores Inc., testified about his experience with banks and the PCI, suggesting that the rules were not created with the retailer in mind.
“They are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement,” Jones said. “It is often stated that there are only twelve ‘Requirements’ for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.”
Jones has issues with the encryption standards in PCI. The standard states that all credit card information must be encrypted, with one exception, it doesn’t have to be if the data is sent over a private network.
Jones said this is a gap that can be exposed. “The credit card companies’ financial institutions, the very organizations that have created and are mandating this rigorous and highly-complex standard, do not accept encrypted transactions,” he said. “We must decrypt the credit card number at our corporate headquarters prior to sending to the merchant bank for approval.”
Michaels has wanted to encrypt all the transactions but was told it’s too expensive to implement and too expensive to come up with an industry-wide standard.
The data breaches at TJX and Heartland Payment Systems exposed this flaw, Jones said. “Had it been encrypted they would most likely not have been able to read the data.”
The PCI rules aren’t bad and credit card information is safer now that it was before. But Jones urged the subcommittee to not pass any additional legislation around the matter. “We do not need more laws,” he said. “The existing (sometimes) misguided enforcement and the proliferation of state regulations around these issues have created a difficult, if not impossible, environment for retailers to effectively meet the legal requirements imposed on them should a breach of information occur.”
Instead Jones said the credit card companies need to take greater responsibility and better secure the systems that are already in place.
