Cybersecurity Panel Leaders Suggest New Card Security Standards
The U.S. payment card industry (PCI) got an unwelcome suggestion from the House Homeland Cybersecurity Subcommittee Tuesday that its security standards regime could use a federal backup. Echoing criticisms often leveled at the Federal Information Security Management Act, which governs data and network security at agencies, lawmakers said the PCI standards that govern merchants and payment processors had become a “check box” exercise that doesn’t adequately guard against data breaches. The industry in Europe and Asia is upgrading infrastructure to improve the security of transactions, said Homeland Security Committee Chairman Bennie Thompson, D-Miss. “I am puzzled and disappointed that we are not seeing similar upgrades here domestically.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
But the hearing quickly turned into a finger-pointing exercise between representatives of the card industry and merchants. A major disagreement emerged over whether card companies will penalize merchants that don’t store credit- card numbers for use in settling customer disputes over charges.
Credit card numbers stolen through hacks on retailer databases, Trojans and phishing scams are a major way that terrorist groups finance themselves, said Subcommittee Chairman Yvette Clarke, D-N.Y. An investigation by the full committee found that the PCI standards are “of questionable strength and effectiveness” and that following them completely doesn’t guarantee protection against breaches, she said. Clarke pointed to a retailer who was certified as PCI- compliant a day after it was notified that its system had been hacked and that stored credit numbers were sold on the black market. The PCI standards can only be updated by unanimous consent every two years, and they don’t require regular penetrating testing by merchants, she said. The U.S. industry should consider a system like “chip and PIN,” a system deployed in the U.K. that has reduced fraud losses by two-thirds in three years. “The time for shifting risk is over,” Clarke said.
Ranking Member Dan Lungren, R-Calif., said standards for breach notification need to be devised first. He and his wife’s credit cards were both unusable a day before their card issuer notified them of a breach, resulting in a missed auto-payment, he said. “The key to this Internet economic engine running smoothly is data security,” yet the government should be wary to push through its own rules, given agencies’ regular data breaches, Lungren said. The problem may be a “one-size-fits-all” regime that doesn’t give enough flexibility to merchants that are neither “mom-and-pop” nor big retailers, two categories with different treatment under the PCI standards, he said.
Lawmakers didn’t find explicit support from a Justice Department official for overlaying the PCI standards with federal rules. Investigations by DoJ, the Secret Service and international law enforcement partners have brought down major criminal rings which sold stolen credit card information over the Internet, including Dark Market and Shadowcrew, said Rita Glavin, acting assistant attorney general for the Criminal Division. The PCI standards are a “way to begin the process of preventing breaches” but companies need to do regular testing of their systems too, she said. Immediate notification of law enforcement when breaches are discovered is paramount, but “sometimes these breaches aren’t readily apparent and are hard to detect” because criminals steal data “piece by piece” over time, Glavin told Rep. Ben Lujan, D-N.M. She declined to back federal rules when asked several times by lawmakers.
The PCI Data Security Standards Council has never found a breached entity that was in full compliance with the standards at the time of the breach, Director Robert Russo said. “Effective security is not a one-time snapshot.” The council has “mechanisms to take swift action” in contrast to Clarke’s assumption, regularly updating its testing procedures and doing regular educational webcasts with merchants, he said. It also connects them with security assessors and vendors who can remotely scan their systems for weaknesses, Russo said. Visa also has always found security “gaps” in breached companies that were PCI-compliant, said Joseph Majka, the company’s head of fraud control and investigations. The company applies “multiple layers of security” at the card, point-of-sale and network levels.
The fault lies with the card industry and merchant banks, said Michael Jones, the chief information officer for Michaels Stores. The PCI standards are “extraordinarily complex” and “ultimately subjective” in interpretation and enforcement. Most retailers don’t want to keep card information, the main source of breaches, he said -- but the standards require them to do that so banks and customers can run charge-backs for unrecognized transactions, he said. Retailers have asked to create a “unique approval ID” for transactions so they don’t have to store card numbers, but the requests have been rejected, Jones said. The council also rejected retailers’ suggestion to require end-to-end encryption for private-network transactions - the lack of which allowed the massive TJX breach, he said. “The retailer is in the press,” Jones said. “The retailer is demonized.” The council is set up for credit card companies and banks to “retain all power,” he said.
PCI-compliant systems aren’t necessarily any safer than the systems that merchants had to abandon to stay in card companies’ good graces, said Dave Hogan, chief information officer for the National Retail Federation. The standards are “onerous, confusing and constantly changing,” and it’s “just not realistic” to expect merchants can keep pace with hackers. The standards are a “tool to shift risk off the banks and credit card [companies'] balance sheets and place it on others,” Hogan said. Card companies should eliminate penalties on merchants for not storing data and consider a PIN system for credit cards, like the one used for debit cards, he said.
The council isn’t stonewalling on more effective measures to protect card data like private-network encryption, Russo told Clarke. There are already measures under the standards for private networks, and the council issued a proposal to technology companies to assess “emerging technologies” like end-to-end encryption, “tokenization” and chip-and-PIN, he said. But “there really is no silver bullet here.” Lujan noted that the CEO of Heartland Payment Systems recommended end-to-end encryption after that company’s large breach. But if merchants follow the standards “religiously,” there’s not much use for internal encryption, which will be expensive for some merchants to adopt, Russo said.
Retailers already do a lot of Internet transactions, where the standards require encryption, so it’s not as much of a stretch to add the requirement for private networks, Jones said. Chip-and-PIN “should have been in the standard long ago” as well, he said. Participants made several recommendations that went into the council’s last standards revision, in October, Russo said. “We do not create this standard in a vacuum.”
Visa doesn’t know what retailers are taking about when they complain about having to keep card data, Majka said. It has been telling retailers for three years exactly what they need to maintain, and those who choose to keep card data must secure it properly, he said. They can also work with their banks on alternative transaction identification methods, Majka said. “I would love to have somebody go on record here” that retailers won’t be fined if they don’t store card data, Hogan said. “I find this discrepancy to be very troubling,” Clarke said.