Friday, April 11, 2008

PCI Standards Again Questioned in Wake of New Breach

Interestingly, the brick and mortar world, (the one chock full of PCI Standard compliance demands), seems less secure than the Online world. Yet online retailers pay exhorbitantly higher fees than brick and mortar retailers. Card Not Present transactions are certainly higher risk transactions, but HomeATM's Internet PIN Debit platform, combined with their PIN Entry Device (PED) could cut risk significantly and thus save online retailers 100 basis points off their Interchange fees.

In yet another breach, this one from Advanced Auto Parts, Retail Wire questions whether or not we should move to Chip and PIN based transactions.

Here's the discussion in today's Retail Wire...

And yet again, an American retailer and its customers go down the road of data theft. In this case, the retailer is Advance Auto Parts and the most recent hack affected 56,000 of its shoppers in eight states - Georgia, Indiana, Louisiana, Mississippi, New York, Ohio, Tennessee and Virginia. Luckily, the customers from the stores in question represent a small portion of the total shoppers that frequent the chain's 3,261 stores across the country.

The discovery of the breach, as with those at other retailers, has prompted Advance to reassess its security measures. Others, at the same time, are once again questioning if Payment Card Industry (PCI) compliance standards are either fair or effective.

In a recent interview with RIS News, Dave Hogan, senior vice president and chief information officer with the National Retail Federation (NRF), expressed the view that more secure forms of payment such as "Chip & Pin" were available and proven in reducing fraud. He suggested that card associations should "provide (at no cost to the merchant) card readers that can accept these new types of cards."

Mr. Hogan also took issue with the amount of data that merchants are required to keep by banks. He called on financial institutions to "state that 'Retailers have the option to no longer store credit card data and they will not be penalized for not keeping credit card data."

To read the Retail Wire discussion, click here. I'm sure it will garner a lot of responses. Here is one from Evan Shuman, former eWeek contributor and StoreFrontBackTalk Editor:

To answer your question, yes, Hogan's concerns are quite reasonable. Much of this, though, is a lot of agreement on the easy issues. There are few who truly argue with the following:

1) PCI is not perfect and retailers who are fully compliant are still fully vulnerable. Even PCI's backers agree with this. PCI was never intended to be perfect security. PCI was never intended to be anything beyond a good starting point.

2) PCI has absolutely improved retail security today. Again, this is pretty much done unanimous. It's not gone nearly far enough, but any movement forward is good.

3) Banks are, for the most part, much better choices than retailers to store sensitive payment data. Again, no one ultimately quarrels with this. The issue involves infrastructure, politics and business costs. To make this transition would require tons of agreement from people who are not motivated to make such agreements. So arguing that it's better doesn't help much if it can't be done given the powers that be.

4) Chip and PIN is more secure than what much of the U.S. is doing. True. But Chip and PIN--as it's deployed in the U.K.--also has many issues. Making the transition would be costly, would meet with substantial infrastructure resistance AND it would still retailers far more exposed than is desirable. For the same extreme effort and cost, we could probably come up with a more secure approach.

It's also true that if all retailers strictly adhered to the common-sense rules (no default passwords, examine traffic logs routinely and seriously, strictly enforce procedures, etc.), we'd also be far better off.

This, however, doesn't address the Hannaford scenario where--based on currently available information--we have a retailer that indeed appeared to abide by all of the rules and still got burned by some aggressive cyber thieves. That's the more rare but far more frightening scenario.

Evan Schuman, Editor, StorefrontBacktalk.com

Disqus for ePayment News