Is regulation coming to a point-of-sale device near you?

It certainly appears so. At least if the credit card ecosystem—banks, processors, security companies, assessors and retailers—doesn’t do more to ensure consumer transactions are safer.

Last week, Congress held hearings designed to get to the bottom of what is being done, and what can be done, to help stem the tide of cyber fraud and identity theft. It left little to debate. More has to be done. Now.

Bottom line, said a no-nonsense Rep. Yvette Clarke, chairwoman of the subcommittee that held the hearing, just being PCI compliant does not guarantee security.

Clarke said a recent investigation found PCI standards are of “questionable strength and effectiveness.” As a result, she warned, retailers need to take proactive measures to protect themselves and their consumers. She also said new security technologies and practices are needed—ASAP:

“The time for waiting is over. The time for shifting risk is over. Today, the responsibility is yours to make this situation better.”

Clarke spoke those words to a panel consisting of high-ranking representatives from the Department of Justice, the PCI Security Standards Council, Visa, Michaels Stores and the National Retail Federation.

For a change, it certainly appeared to me that our elected officials got it. And I also think the panel did an excellent job delivering a down-and-dirty assessment of the strengths, limits and dangers of our current security compliance system. Even if they did shift blame a little.

I think we all can appreciate just how vulnerable we are when Rep. Dan Lungren, vice chair of the committee, admitted his family was recently a victim of credit card fraud. He was particularly peeved at how he was informed: Embarrassingly, at a restaurant, when the waiter said his card wasn’t working. When Lungren called the credit card company, it didn’t have any information other than his account had been “compromised.”

Talk about more work to be done. If this can happen to Lungren, it can happen to anyone.

The PCI Council’s Robert Russo said his organization’s standards are solid. The challenge is that the council doesn’t enforce standards. That’s up to the credit card brands and the banks/processors. Many companies also approach PCI with a checking-the-box mentality. PCI compliance should be viewed as an opportunity to build solid security best practices for long term security versus point in time security. Visa’s Joseph Majka, meanwhile, said the credit card company never found a breached company to not be in compliance with PCI standards.

Regardless of these testimonials, data security standards need some work, said Michael Jones, CIO of Michaels Stores, who delivered a no-holds barred critique on the PCI compliance process. These standards were “set up for the credit card companies and banks to have all the power over fines and mandates,” Jones testified. “It is not an industry standards body.”

He continues: “We would be more secure…if the credit card companies would take more responsibility.”

Jones’ concerns: The inconsistencies, confusion, high cost and ambiguity in data security standards. Not to mention the credit card monopoly that controls these standards. While there is some debate over his particular issues, I agree PCI standards need to be much better. I also agree more responsibility can be shared. The retailer, after a breach, is left holding the bag. The retailer is demonized in the press. And it is often the one hit with fines.

We can debate the fine points of Jones’ concerns all we want. But it’s clear the United States is lagging behind. And it’s also clear retailers’ systems need to be better protected. While several European countries have enacted stricter and smarter standards, regulations and technologies, fraud has decreased in those countries. However, it is increasing globally, chairman Clarke points out. Why is this? Because hackers are taking advantage of countries with weaker technologies and security practices.

In other words, countries such as the United States. Of course, we must all keep in mind that the European countries' new technologies have much fewer companies to worry about versus the United States.

In a coming post, I will lay out some best practices specifically focused on small merchants. In the meantime, the seriousness of the situation cannot be underestimated. Not only are U.S. retailers the means of which more hackers are becoming rich, but U.S. retailers are also the means of which terrorists are financing their murderous activities.

Clarke reminded the panel that the 2002 Bali nightclub bomber financed his mission with credit card fraud.

Terrorists are clearly on the hunt for cyber vulnerabilities.

They could find that next vulnerability in your system.

Until next time,

Joan
The eSecurityDiva