Ads by TechWords

See your link here
Receive the latest technology news and information.
Networking
Networking Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

PCI security standard gets ripped at House hearing

Payment card industry's data security rules aren't working, critics say; Visa, PCI council continue to defend standard

April 1, 2009 12:00 PM ET

Computerworld - The PCI standard, long touted as one of the private sector's best attempts to regulate itself on data security, is increasingly showing signs of coming apart at the seams.

At a U.S. House of Representatives hearing yesterday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little to stop payment card data thefts and fraud.

The hearing, held by a subcommittee of the House Committee on Homeland Security, also highlighted the longstanding bitter divide between retailers on one side and banks and credit card companies on the other over the role that the latter organizations should play in protecting card data.

In one of the bluntest denouncements of PCI DSS to date, Rep. Yvette Clarke (D-N.Y.), chairwoman of the subcommittee that held the hearing, said the standard by itself is simply not enough to protect cardholder data. The PCI rules aren't "worthless," Clarke said. But, she added, "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that."

Much of PCI's limitations have to do with the static nature of the standard's requirements, according to Clarke, who said the rules are ineffective at dealing with the highly dynamic security threats that retailers and other merchants now face.

For instance, she pointed to the data breach disclosed early last year by Hannaford Bros. Co., which said that attackers had stolen card numbers and expiration dates by installing malware on servers at each of the Scarborough, Maine-based grocery chain's stores and capturing the data as cards were swiped at cash registers.

Hannaford was certified as PCI-compliant by a third-party assessor in February 2008, just one day after the company was informed of the system intrusions, which had begun two months earlier. That means the grocer received its PCI certification "while an illegal intrusion into its network was in progress," Clarke said.

Similarly, RBS WorldPay Inc. and Heartland Payment Systems Inc. were both certified as PCI-compliant prior to breaches that the two payment processors disclosed in December and January, respectively. Visa Inc. dropped Heartland and RBS WorldPay from its list of PCI-compliant service providers last month and is requiring them to be recertified, although it has said that merchants can continue to do business with the two companies in the meantime.



Jump to comments

PCI

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying

White Papers & Webcasts

Tackling the Top Five Network Access Control Challenges
Computerworld and Juniper invite you to download this white paper.  

How to Secure and Accelerate Your Oracle Applications
Learn about the escalating application performance and security challenges facing corporations, today!  

Enterprise Application Delivery: No User Left Behind
Gain the ability to deliver applications to all users, using any device, across any network.  

Accelerate SSL Encrypted Applications
Gain complete visibility into SSL application sessions, making it easy to apply appropriate acceleration and security controls to all SSL traffic.  

The Commercialization of ITIL: Lessons Learned
Register for this event today!

Disaster Recovery & Cost Savings Zone
Thousands of customers world-wide have turned to virtualization solutions from Riverbed as a way to reduce costs.