Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure.
Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly."
Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year.
"I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" — and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.
Richey's defense of PCI DSS and criticism of Heartland come as Visa, which has taken the lead among credit card companies in seeking to enforce the standard, is itself facing some criticism over its enforcement actions.
For instance, some analysts have been critical of the so-called probationary period that Visa has imposed on Heartland, saying that designation — which requires the payment processor to meet more stringent security requirements than usual — appears to have been created purely in response to the Heartland situation. Some also see Visa's insistence that Heartland and RBS WorldPay weren't compliant with PCI DSS when the breaches occurred as an attempt by the credit card company to protect itself legally and prevent the payment processors from using PCI as a shield against breach-related lawsuits filed by banks and credit unions.
In addition, questions are being raised about what exactly it takes to remain fully PCI-compliant at all times. "It's easy to find somebody to be in noncompliance if that is the primary goal" of an audit, said David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.
In an interview earlier this week about Visa's removal of Heartland and RBS WorldPay from its PCI-compliant list, Taylor said that auditors are bound to find problems if they really want to. "It's easy to go in and say, 'You don't have this patch, or you didn't centralize your logs,'" he said.
During a panel discussion after Richey's talk at the Visa summit today, Dan Roeber, vice president and manager of merchant PCI compliance at Cincinnati-based Fifth Third Bancorp, said there are "lots of moving parts" in the PCI standard. That sometimes can make complying with the rules a challenge, he added.
Roeber called on Visa and other credit card companies to give merchants more flexibility in implementing security controls based on the specific risks that they face in their own environments. He also said PCI Security Standards Council LLC, the organization responsible for administering PCI DSS, "needs to do a more thoughtful job" and "get as much risk-oriented language as possible" into the rules in order to make them more digestible for companies trying to figure out why they need to implement certain controls.
Princeton, N.J.-based Heartland has maintained that its compliance with the PCI standard was validated by an auditor last April, only about a month before the breach of the company's systems is thought to have begun. Similarly, Atlanta-based RBS WorldPay, which was certified as being compliant with the PCI rules last June, said this week that it has made "no material system changes that would have negatively altered the certification." In fact, the company added, it has "enhanced the security of our systems in the interim."