Friday, April 17, 2009

Hackers Not Limited...Is PCI?

Brian Krebs, from the Washington Post writes regularly on security.  Here's an excerpt from an article he wrote in response to Verizon Business' latest report on the state of the payments industry...

Hackers Test Limits of Credit Card Security Standards
The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.

Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification.

In a recent hearing on PCI standards at a House Homeland Security Committee panel, experts from the retail sector charged that the entire PCI scheme is only a tool to shift risk off the banks and credit card companies' balance sheets.

"The premise behind PCI -- that millions of retail establishments will systematically keep pace with the ever-evolving sophistication of today's professional hacker -- is just not realistic," said David Hogan, senior vice president and chief information officer for the National Retail Federation.

Merchants and retailers who experience a breach and are later found to be out of compliance with the PCI standards face steep fines from the credit card companies, and may eventually be forced to pay banks the costs of reissuing compromised cards.

Michael Jones, chief information officer for Michaels Stores Inc., a craft store chain, maintains that the PCI mandates were developed from the perspective of the card companies, rather than those who are expected to follow them.

For example, major tenet of the PCI standards is that hackers cannot steal credit and debit card data if retailers simply choose not to store the data. But Jones said retailers are required to store the data to defend themselves from chargebacks, a dispute that can be initiated by a bank or by a bank's customer. If a retailer cannot produce a copy of the receipt in the face of a chargeback, that retailer is forced to pay the cost associated with that chargeback, Jones said.

"This could have been fairly easily solved using a unique approval ID for each transaction, thus eliminating the need for credit card number storage by the retailer," but the credit card companies have balked at that suggestion, Jones said.

Continue Reading Brian Krebs story at the Washington Post




, ,

Disqus for ePayment News