PCI security rules may require reinforcements

The PCI standard, long touted as one of the private sector's strongest attempts to regulate itself on IT security, is increasingly being slammed by critics who claim that the rules aren't doing enough to protect credit and debit card data.

And amid all the complaints, Visa Inc. - the standard's biggest proponent - is working one-on-one with banks and retailers to test new security measures that go beyond the controls currently mandated by PCI.

What it all adds up to is a new sense of uncertainty about the future of the specification, which is formally known as the Payment Card Industry Data Security Standard, or PCI DSS. Created by Visa and other credit card companies, the PCI rules will have been in effect for four years as of June 30. But with breaches of card data continuing and questions about the standard's effectiveness on the rise, PCI DSS is showing signs of coming apart at the seams.

Criticism of the standard isn't new. But since the recent disclosures of breaches by payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc., PCI DSS has been hit with some of its most forceful denunciations thus far.

For instance, at a March 31 hearing held in the U.S. House of Representatives, Rep. Yvette Clarke (D-N.Y.) said that PCI DSS simply isn't sufficient for protecting cardholder data. The security rules aren't "worthless," said Clarke, who chairs a subcommittee that focuses on cybersecurity among other topics. But, she added, "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure."

As an example, Clarke pointed to the data breach disclosed early last year by Hannaford Bros. Co. The grocery store chain was certified as PCI-compliant by a third-party assessor in February 2008 - one day after it was informed of the system intrusions that had begun two months earlier.

Similarly, RBS WorldPay and Heartland both received PCI certifications last year prior to the breaches that they disclosed in December and January, respectively. Visa dropped the two companies from its list of PCI-compliant service providers last month and is requiring them to be recertified, although it has said merchants can continue to do business with them in the meantime.

Michael Jones, CIO at arts and crafts retailer Michaels Stores Inc., said at the House hearing that the PCI rules appear to have been developed "from the perspective of the card companies, rather than from that of those who are expected to follow them." As a result, he contended, the requirements don't necessarily help to protect data.

Jones added that he "would like nothing better" than to not have to store any card numbers in the systems at Michaels. But retailers are forced by card-issuing banks to keep that data in case of disputed transactions, he said. And then, when a breach occurs, "we are the ones who are demonized," Jones noted.

Standard Defense

Visa officials and other PCI supporters continue to insist that the standard is an effective tool for mitigating threats to card data - when it's implemented properly.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.