Retailers: Credit card data inadequately protected
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach,some congressmen are questioning whether the Payment Card Industry DataSecurity Standards, created and regulated by credit card companies, aresufficiently protecting information.
The credit card industry maintained at a congressional hearing Tuesdaythat self-regulation is effective, pointing out that since the PCIstandards were published, security breaches have occurred only when anentity is not fully in compliance with the standards.
"I have no doubt that compliance to PCI standards are the bestline of defense," said Robert Russo, director of the PCI Data SecurityStandards Council. "We have never found a breached entity to be in fullcompliance at the time of breach."
Yet representatives of the retail industry told a panel of theHouse Homeland Security Committee that when the credit card industryestablished the PCI standards in 2004, it did so mainly to reallocateits own fraud costs.
"In our view, if you peel off all the layers around PCI datasecurity standards, you will see it for what it is," said Dave Hogan,senior vice president and chief information officer for the NationalRetail Foundation. "In significant part, (it is) a tool to shift riskoff the banks' and credit card companies' balance sheets and place iton others."
Continue Reading at CNet News