Retailers: Credit card data inadequately protected

WASHINGTON--The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday.

In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.

The credit card industry maintained at a congressional hearing Tuesday that self-regulation is effective, pointing out that since the PCI standards were published, security breaches have occurred only when an entity is not fully in compliance with the standards.

"I have no doubt that compliance to PCI standards are the best line of defense," said Robert Russo, director of the PCI Data Security Standards Council. "We have never found a breached entity to be in full compliance at the time of breach."

Yet representatives of the retail industry told a panel of the House Homeland Security Committee that when the credit card industry established the PCI standards in 2004, it did so mainly to reallocate its own fraud costs.

"In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is," said Dave Hogan, senior vice president and chief information officer for the National Retail Foundation. "In significant part, (it is) a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."

Michael Jones, the CIO for Michaels Stores, backed up Hogan's comments with the fact that the credit card companies' financial institutions do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.

Transferring this data unencrypted can lead to breaches like the Heartland breach, or the 2007 TJX breach that compromised 45.7 million customer accounts, Jones said. Michaels has been asking for the past three years for the ability to encrypt transaction information, he said.

"The need is not there," to encrypt the information, given other security steps the PCI calls for, Russo said. "Why put merchants through the expense?"

Joseph Majka, head of fraud control and investigations for Visa, said the industry is exploring new technologies, including end-to-end encryption, that could provide a solution.

"I wouldn't call (encryption) an emerging technology," Jones responded. "I feel that it should have been in the standard long ago."

Hogan said the PCI Security Standards Council has ignored a number of other recommendations from the retail industry, such as allowing consumers to enter a personal identification number for credit card transactions.

The Council should consider updating its standards more frequently, said Rita Glavin, acting assistant attorney general in the criminal division of the Justice Department. It should also consistently inform federal law enforcement when breaches occur, she said.

"It helps us get a sense of what's going on so that we can get in front of the problem," Glavin said.

Even though it may not be perfect, she said the PCI standards are beneficial.

"Having any security system and uniform systems are going to help," Glavin said. "It's a floor and a way to begin the process of preventing breaches."

[Lerianis3]

The fact is that EVERYTHING to do with credit card information or money in any form should be encrypted, whether it is being transferred from a regular store in a mall or online. In fact, it's time to bump up the security from 128-bit to 512-bit or higher on credit card information transferred online.

[joerickx]

My proposal is to create a federal law that will send the CEO, COO, CFO and CTO to jail for one hour for each credit card account that is stolen from the servers under their "protection". Want to see your credit card info protected? Pass a law like that and you'll see it protected real fast!

[smallvoice]

The best way to handle such problems is to cut the credit card(s) in half and throw them away. You will be out of debt sooner, also.

[professionaladventurer]

What about the low wage worker who swipes your card. What about the waiter that left with your card number for 3 minutes? What was he doing? What about the underpaid web/database admin who has access to the customer data at the processing center? No amount of encryption will protect you. I still have a CD with 500,000 customers full background and personal history from 1998-99 (in a safe) when I built a mortgage app in California that was in use by a major lender, but ran on our servers.

[BenjaminWright]

The Federal Trade Commission treated TJX unfairly. It swallowed the banks' arguments that retailers are supposed to bear exceptionally high security obligations. Had the FTC examined the entire credit card system more carefully, it could not have concluded that TJX had acted unlawfully. http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html --Ben

[zeroplane]

Why of course credit card companies are horribly insecure. How else would they push the extra $17.99 month subscription for identify theft coverage?

Seriously why should consumers have to pay for a service that is horribly mismanaged and puts your livelihood and financial future at risk?

[st737mn]

The PCI Data Security Standard is not the problem, the problem is compliance with that standard. Maybe a jail-time penalty for non-compliance.

[mojojam]

This is nothing new but I'm glad someone is starting to do something about it.

I've been tossing around the idea of using those "Gift" credit cards as temp cards. Just add money to it when I need it and ditch it after 6months. Although I don't know if the fees and what not associated with it (I'm not sure what they are) will make it worth it or not.