Can retailers self-regulate PCI standards?
March 31, 2009 by Valerie HelmbreckPosted in: Communication, Compliance, In this week's e-newsletter, Information security, Latest News & Views
Like the now-disgraced banking industry, thought by Alan Greenspan to be capable of self-regulation because it was in their institutions’ best interests, another sector may soon be facing its own regulatory Waterloo.
Congressional hearings this week on credit card date security breaches seems to have turned up a similar attitude among credit card processors and issuers.
Seems that the self-regulatory system credit card companies have set up to protect consumer data sacrifices some pesky consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday.
After the massive Heartland Payment Systems breach, Congress decided to firmly shut the barn door once the horse had disappeared into the sunset. Hearings into how such a huge amount of data could be so easily purloined has turned up some nasty little secrets about Payment Card Industry (PCI) Data Security Standards, created and regulated by credit card companies.
Seems that if PCI standards are maintained, it’s unlikely data will be compromised.
But there’s no law that says PCI standards have to be maintained.
Does this sound like deja vu all over again, folks?
Self regulation may seem like a lovely, freedom-loving idea, but in the case of corporate interests, it also seems to be an easy excuse to ignore important safeguards and procedures.
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.
Click here to sign up and start your FREE subscription to FinanceTechNews!
Tags: breach, congress, credit card, data, hearings
April 7th, 2009 at 3:10 pm
I don’t think there is a significant argument for government regulation of Payment Card Industry controls and standards.
- For the actual credit card companies, Visa, MC, and Amex, there is financial incentive from multiple approaches to strictly regulate their subordinate processers and merchants. If they fail to self-regulate, then government regulation is sure to come, and all regulation carries an explicit cost. Additionally, there is incentive to control loss of revenue due to fraud, as well as to protect their resepective brands in a competitive marketplace.
- What exactly would you (or anyone) want government regulation to accomplish? Meaning, what incremental standards SHOULD be instituted that are not currently being met? Compare with Gramm-Leach-Bliley Act (GLBA), that regulates the Financial Services sector, specifically around consumer banking. Anyone in the industry knows that PCI (Payment Card Industry) regulation is more stringent, harder to achieve, and requires more rigorous monitoring to maintain than GLB. The penalty for failing to meet GLB requirements is that the FFIEC can shut you down. Likewise, the penalty for failing to meet PCI standards is that Amex, Visa, and MC can shut you down. GLB, ratified in to law, has to be amended by LITERALLY an act of Congress in order to update and maintain. Meanwhile, PCI, which is a privately-managed standard has already gone through three revisions, and is a continually-evolving standard. Bottom line: Your CREDIT CARD data is safer than your BANK ACCOUNT data.
- Hartland was found to NOT be in compliance with PCI standards, and MasterCard has issued a statement to that effect: if they HAD been in compliance, the data breach would not have occurred. I do think this is a heads-up to the entire industry that attacks are mounting in number and growing in sophistication, and ALL payment processors are at risk. There is no place in the industry for sloppy administration or complacency.
Increasingly, the point of sale originates on the consumer’s PC, which is not regulated by any standard, and is a significant risk for consumer, vendor, and issuer. The aggregate risk due to insecure consumer PCs drastically outweighs that of a fully compliant processor. There are social engineering attacks, such as phishing and Nigerian scams, where the consumer voluntarily discloses the Primary Account Number (PAN), verification number, cardholder name, and expiration date. Additionally, key loggers, trojans, root kits, and other malware are becoming more increasingly sophisticated, to the point that these attacks now intercept keystrokes and/or scour the hard drive looking for credit card data. There is no amount of regulation that will address this problem.
To make a final point — Bank Cards (Credit cards issued by a bank) create further complexity, due to the fact that part of the transaction falls under PCI, and another part falls under GLB.