Post-breach criticism of PCI security standard misplaced, Visa exec says

Computerworld - Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure.

Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly."

Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year.

"I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" — and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."

Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.

Richey's defense of PCI DSS and criticism of Heartland come as Visa, which has taken the lead among credit card companies in seeking to enforce the standard, is itself facing some criticism over its enforcement actions.

For instance, some analysts have been critical of the so-called probationary period that Visa has imposed on Heartland, saying that designation — which requires the payment processor to meet more stringent security requirements than usual — appears to have been created purely in response to the Heartland situation. Some also see Visa's insistence that Heartland and RBS WorldPay weren't compliant with PCI DSS when the breaches occurred as an attempt by the credit card company to protect itself legally and prevent the payment processors from using PCI as a shield against breach-related lawsuits filed by banks and credit unions.

In addition, questions are being raised about what exactly it takes to remain fully PCI-compliant at all times. "It's easy to find somebody to be in noncompliance if that is the primary goal" of an audit, said David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.