Post-breach criticism of PCI security standard misplaced, Visa exec says
Chief risk officer: No breached companies have been compliant with the data security rules
March 19, 2009 12:00 PM ETComputerworld - Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure.
Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly."
Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year.
"I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" — and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.
Richey's defense of PCI DSS and criticism of Heartland come as Visa, which has taken the lead among credit card companies in seeking to enforce the standard, is itself facing some criticism over its enforcement actions.
For instance, some analysts have been critical of the so-called probationary period that Visa has imposed on Heartland, saying that designation — which requires the payment processor to meet more stringent security requirements than usual — appears to have been created purely in response to the Heartland situation. Some also see Visa's insistence that Heartland and RBS WorldPay weren't compliant with PCI DSS when the breaches occurred as an attempt by the credit card company to protect itself legally and prevent the payment processors from using PCI as a shield against breach-related lawsuits filed by banks and credit unions.
In addition, questions are being raised about what exactly it takes to remain fully PCI-compliant at all times. "It's easy to find somebody to be in noncompliance if that is the primary goal" of an audit, said David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.
Visa
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
