Banks blame merchants for data breaches

Computerworld - LAS VEGAS -- A discussion of the ongoing tug of war between banks, credit card companies and retailers regarding the Payment Card Industry (PCI) Data Security Standard drew ire, frustration and organizational tips from a panel of users at the Symantec Vision user conference here last week.

Executives from JP Morgan Chase & Co., First Horizon Bank Holding Co., and AT&T Inc.'s compliance division offered details about their PCI deployment experiences, discussed the confusion surrounding evolving rules, and offered advice on how to deal with the auditing and IT overhaul pressures PCI can bring.

As some retail executives openly criticize the PCI standard,  for levying unfair costs and IT burdens upon their organizations, the financial services executives fired back by noting that high-profile data breaches at retailers like The TJX Companies Inc. are not originating from their side of the fence.

The TJX incident, said Christopher Leach, senior vice president and chief information security officer for First Horizon, "was not a JP Morgan [data breach], it wasn't at First Horizon or CitiGroup, it was at a merchant, and yet all the plans to remediate that have been with the banks. So we are seeing a shift right now for who's going to pay for that. At the end of the day, the breach wasn't at a bank, it was at a merchant."

First Horizon, which operates in 43 states and claims $5 billion in annual revenue, is currently going through a new round of PCI certification -- or, as Leach put it, "trying to build that airplane as we build the runway."

"We've discovered that PCI keeps changing," said Leach. "We went down the path to be certified at one point of time and did a great deal of due diligence, only to find out some of the requirements would change. One Visa analyst would say one thing and another Visa analyst would say something else very contradictory."

The PCI standards were enacted in June 2005 by five major credit card companies -- Visa International, MasterCard Worldwide, American Express Co., Discover Financial Services LLC and Tokyo-based JCB Co. -- to protect credit card data before, during and after transactions. The standards mandate an array of basic security controls, including encryption, authentication, logging and monitoring, for transactions processed using credit and debit cards. Failure to comply with the PCI standard could cause stiff fines and increased transactional rates starting later this year.
 
Vanessa Pegueros, director of compliance services for AT&T, said her organization was first threatened with PCI-related fines after the TJ Maxx data breach when the credit card group ordered that the company be compliant with the standard by September 2007 or face fines of $25,000 a month. "I think [after] the TJ Maxx incident, Visa came down with a much heavier hammer. [Merchants are] thumbing their nose at the PCI regulation, so we are paying the price," Pegueros contended.