Banks blame merchants for data breaches

Execs note TJX breach caused by retailer, not banks

LAS VEGAS -- A discussion of the ongoing tug of war between banks, credit card companies and retailers regarding the Payment Card Industry (PCI) Data Security Standard drew ire, frustration and organizational tips from a panel of users at the Symantec Vision user conference here last week.

Executives from JP Morgan Chase & Co., First Horizon Bank Holding Co., and AT&T Inc.'s compliance division offered details about their PCI deployment experiences, discussed the confusion surrounding evolving rules, and offered advice on how to deal with the auditing and IT overhaul pressures PCI can bring.

As some retail executives openly criticize the PCI standard,  for levying unfair costs and IT burdens upon their organizations, the financial services executives fired back by noting that high-profile data breaches at retailers like The TJX Companies Inc. are not originating from their side of the fence.

The TJX incident, said Christopher Leach, senior vice president and chief information security officer for First Horizon, "was not a JP Morgan [data breach], it wasn't at First Horizon or CitiGroup, it was at a merchant, and yet all the plans to remediate that have been with the banks. So we are seeing a shift right now for who's going to pay for that. At the end of the day, the breach wasn't at a bank, it was at a merchant."

First Horizon, which operates in 43 states and claims $5 billion in annual revenue, is currently going through a new round of PCI certification -- or, as Leach put it, "trying to build that airplane as we build the runway."

"We've discovered that PCI keeps changing," said Leach. "We went down the path to be certified at one point of time and did a great deal of due diligence, only to find out some of the requirements would change. One Visa analyst would say one thing and another Visa analyst would say something else very contradictory."

The PCI standards were enacted in June 2005 by five major credit card companies -- Visa International, MasterCard Worldwide, American Express Co., Discover Financial Services LLC and Tokyo-based JCB Co. -- to protect credit card data before, during and after transactions. The standards mandate an array of basic security controls, including encryption, authentication, logging and monitoring, for transactions processed using credit and debit cards. Failure to comply with the PCI standard could cause stiff fines and increased transactional rates starting later this year.  

Vanessa Pegueros, director of compliance services at AT&T, said her organization was first threatened with PCI-related fines after the TJ Maxx data breach when the credit card group ordered that the company be compliant with the standard by September 2007 or face fines of $25,000 a month. "I think [after] the TJ Maxx incident, Visa came down with a much heavier hammer. [Merchants are] thumbing their nose at the PCI regulation, so we are paying the price," Pegueros contended.

"We were doing a good job, maybe not as fast as some would have liked, but we were on a plan and trying to meet the [PCI] business needs and requirements. But [Visa is] basically trying to take a hard line approach and we're caught in the middle of that. Now we have to adjust our plans," she remarked.

In terms of managing PCI compliance, Pegueros stressed that there is no silver bullet to quickly transform existing repositories and systems to comply with the evolving rules. Rather, she said, the process requires significant planning, beginning with stemming data flow away from outdated applications that can't be adapted to support compliance measures.

In particular, she said that companies should consider centralizing credit card data as much as possible by cutting the number of applications holding credit card information. That move would minimize PCI complexity, she said.

"Find out where your data is, where it resides, and on what servers. Then you have to start getting that data off those systems. We have a long road ahead: it's complex and hard, but I see no other way," said Pegueros. "Get involved in your development process. Stop the data from getting into new applications. If you don't cut it off at entry points of your business, it's going to get into production environments and become worse."

When asked point-blank how his organization is dealing with PCI compliance as credit card and debit transactional data is spread further and further outside his company's walls, Brian Glowacki, vice president and lead architect for global storage technology at JP Morgan Chase, succinctly responded "It's getting to be pretty impossible.

"As you start to take that that schema outside of North America and start looking at a global economy where a lot of us do function, there are very different regulations you encounter outside of PCI... which is a complete contradiction of the centralization you're trying to protect yourself with," he said.

Corporate managers should carefully consider what actions might put them most at risk of falling short of PCI compliance, Glowacki suggested, citing the use of aging data storage tapes as an example. Organizations should understand and index what type of sensitive customer information is stored on media either in their own facilities or with third-party off-site vendors, he said.

Leach called on IT managers not to fear challenging a PCI auditor's findings or compliance discovery methods, because the rules are still at an early stage and can easily be left to personal discretion

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon