PCI Debate: How Do We Raise the Bar on Security?
Congressional Leaders Call for Reform; Industry Experts Say Fraud is the Real IssueThis was the message last week from the head of a Congressional subcommittee that conducted a hearing on PCI DSS. And it's a message that is drawing mixed reactions from financial services analysts and practitioners, all of whom have fresh PCI perspectives in the wake of the Heartland Payment Systems (HPY) data breach.
The Congressional hearing, entitled: "Do The Payment Card Industry Data Standards Reduce Cybercrime " was held by the Subcommittee on Emerging Threats, Cybersecurity, Science and Technology Committee.
Yvette Clarke, D-NY, Chair of the Subcommittee, admonished the payments industry, saying "The payment card industry and issuing banks should be ashamed about the current state of play and doing everything possible to immediately institute improvements in infrastructure."
Clarke called for the U.S. payment system to move toward the chip and PIN technology used in Europe as a way to thwart the increased number of data breaches and fraud.
Chip and PIN is the name of a government-backed initiative in the United Kingdom to implement the EMV standard (group effort between Europay, MasterCard and Visa) for secure payments. The EMV standard for credit card transactions, both physical and online, is being phased in around the world under names such as IC Credit and Chip and PIN.
Industry Reactions
Gartner Group's distinguished analyst Avivah Litan, a recognized expert in information security issues in the payments industry, sees some benefits of the committee subcommittee hearing and the issues it raised.
"Card fraud is getting out of control, in many areas and bank card fraud detection systems across the globe are struggling to keep up," Litan says. "Even issuers that have moved to chip and PIN have not seen a drop overall in card fraud because the magnetic stripe on the card is still accepted in physical locations around the world, and the card data itself is still accepted on ecommerce sites."
Litan believes Visa is finally recognizing the limitations of PCI. "They discussed some encouraging projects they are looking at such as end-to-end encryption and dynamic card authentication, which they say will 'complement PCI' and also 'perhaps' minimize PCI compliance requirements accordingly," she notes.
Litan does add that Visa "would never come out and say PCI is deficient, and no one can argue with stronger security. But Visa is subtly recognizing the limitations of relying on PCI compliance for card data security. They know they need to do something because card fraud has become a major problem for many major banks around the world."
She recommends if there is more government regulation in this area it should "stick to enhancing and consolidation breach disclosure laws. Government should also focus on balancing the power in the card area so that it's not so lopsided in favor of the issuing banks, but also equally considers merchant and acquiring needs."
David Taylor, Founder of the PCI Knowledge Base, says he doesn't see the committee's concerns resulting in any major changes to the standards or procedures for the management of liability and risk in the payment card industry.
"The purpose of PCI is not to prevent cyber terrorism, and no security standard can prevent breaches," Taylor says. The hearing could serve to increase awareness of payment card security and focus attention on the desire of the merchant community to retain little or no cardholder data. "But I don't see the banking industry or the federal government having the stomach for mandating a multi-billion dollar changeover to chip and PIN technology anytime soon," he says.
Chip and PIN?
Tom Wills, Senior Analyst from Javelin Strategy and Research, disagrees with the idea that implementing chip and PIN in the US would solve the problem.
"While it's true that chip and PIN in the UK reduced fraud at the point of sale, total fraud suffered by UK cardholders increased in the same period as it has overseas," Wills says.
Wills doubts that a business case exists for chip and PIN in the U.S. "The cost of issuing new cards to all cardholders and new POS terminals on all merchant countertops would be less than the cost of the fraud it prevents, especially if effective protections against overseas fraud and CNP (Card Not Present) fraud aren't added at the same time," he says.
Debra Geister, Director of Fraud Prevention & Compliance Solutions at Lexis-Nexis, an Alexandria, VA-based risk management consulting company, sees no short-term gains from the current PCI discussion.
"I can't say that PCI is broken, but the standards are likely not moving as fast as the fraudsters, and I think that is a common problem."
However, she says the industry can't point to one solution as the answer to any fraud problem. She warns it is dangerous to think that there is any "silver bullet" answer. Her recommendation: put together a working group of the best and brightest focused on best practices and cost efficient methods would be a good step to identify the path forward.
The tipping point in bringing about change to the payments industry will be an increase in fraud to the point where upgrading the entire U.S. payment infrastructure seems worthwhile, says Nick Holland, a senior analyst at the Boston, MA-based Aite Group. "Until then, and unless there is direct government level intervention," Holland says, "it is unlikely that there will be any significant movement to plug current vulnerabilities."