Is regulation coming to a point-of-sale device near you?
It certainly appears so. At least if the credit card ecosystem—banks, processors, security companies, assessors and retailers—doesn’t do more to ensure consumer transactions are safer.
Last week, Congress held hearings designed to get to the bottom of what is being done, and what can be done, to help stem the tide of cyber fraud and identity theft. It left little to debate. More has to be done. Now.
Bottom line, said a no-nonsense Rep. Yvette Clarke, chairwoman of the subcommittee that held the hearing, just being PCI compliant does not guarantee security.
Clarke said a recent investigation found PCI standards are of “questionable strength and effectiveness.” As a result, she warned, retailers need to take proactive measures to protect themselves and their consumers. She also said new security technologies and practices are needed—ASAP:
“The time for waiting is over. The time for shifting risk is over. Today, the responsibility is yours to make this situation better.”
Clarke spoke those words to a panel consisting of high-ranking representatives from the Department of Justice, the PCI Security Standards Council, Visa, Michaels Stores and the National Retail Federation.
For a change, it certainly appeared to me that our elected officials got it. And I also think the panel did an excellent job delivering a down-and-dirty assessment of the strengths, limits and dangers of our current security compliance system. Even if they did shift blame a little.
I think we all can appreciate just how vulnerable we are when Rep. Dan Lungren, vice chair of the committee, admitted his family was recently a victim of credit card fraud. He was particularly peeved at how he was informed: Embarrassingly, at a restaurant, when the waiter said his card wasn’t working. When Lungren called the credit card company, it didn’t have any information other than his account had been “compromised.”
Talk about more work to be done. If this can happen to Lungren, it can happen to anyone.
The PCI Council’s Robert Russo said his organization’s standards are solid. The challenge is that the council doesn’t enforce standards. That’s up to the credit card brands and the banks/processors. Many companies also approach PCI with a checking-the-box mentality. PCI compliance should be viewed as an opportunity to build solid security best practices for long term security versus point in time security. Visa’s Joseph Majka, meanwhile, said the credit card company never found a breached company to not be in compliance with PCI standards.
Regardless of these testimonials, data security standards need some work, said Michael Jones, CIO of Michaels Stores, who delivered a no-holds barred critique on the PCI compliance process. These standards were “set up for the credit card companies and banks to have all the power over fines and mandates,” Jones testified. “It is not an industry standards body.”
He continues: “We would be more secure…if the credit card companies would take more responsibility.”
Jones’ concerns: The inconsistencies, confusion, high cost and ambiguity in data security standards. Not to mention the credit card monopoly that controls these standards. While there is some debate over his particular issues, I agree PCI standards need to be much better. I also agree more responsibility can be shared. The retailer, after a breach, is left holding the bag. The retailer is demonized in the press. And it is often the one hit with fines.
We can debate the fine points of Jones’ concerns all we want. But it’s clear the United States is lagging behind. And it’s also clear retailers’ systems need to be better protected. While several European countries have enacted stricter and smarter standards, regulations and technologies, fraud has decreased in those countries. However, it is increasing globally, chairman Clarke points out. Why is this? Because hackers are taking advantage of countries with weaker technologies and security practices.
In other words, countries such as the United States. Of course, we must all keep in mind that the European countries' new technologies have much fewer companies to worry about versus the United States.
In a coming post, I will lay out some best practices specifically focused on small merchants. In the meantime, the seriousness of the situation cannot be underestimated. Not only are U.S. retailers the means of which more hackers are becoming rich, but U.S. retailers are also the means of which terrorists are financing their murderous activities.
Clarke reminded the panel that the 2002 Bali nightclub bomber financed his mission with credit card fraud.
Terrorists are clearly on the hunt for cyber vulnerabilities.
They could find that next vulnerability in your system.
Until next time,
Joan
The eSecurityDiva
A friend of mine used to work for Rep. Clarke. She is on top of her game. I'm hoping she can bring more light to this important issue.
Posted by: Jesse | April 06, 2009 at 04:29 PM
Having standards such as PCI is only valuable if the people implementing the credit card processing and network security actually adhere to them.
I'm sure TJZ/Homegoods/Marshalls thought they were compliant, right up to the moment they realized that they lost 45 MILLION credit cards and thousands of identities linked to driver's license numbers to hackers. They may even had scans and intrusion detection done. But, nonetheless, someone infiltrated their network, got past their idt on the wrong side of the firewall, and was able to grab anything they wanted.
Posted by: Craig | April 30, 2009 at 08:08 PM
yes i m .. y i am not Secure?
Posted by: Debt Rescue | January 13, 2010 at 02:14 AM
These standards were “set up for the credit card companies and banks to have all the power over fines and mandates,” Jones testified. “It is not an industry standards body.”
Posted by: Credit Card Application | May 23, 2010 at 05:06 AM
I tend to agree that consumers are to a degree at fault, they just jump in without reading the fine print
We must all start taking responsibility for our actions
Posted by: credit repair letters | August 15, 2010 at 11:50 PM
I think you have a thorough understanding in this matter. You describe in detail all here.
Posted by: RamonGustav | August 30, 2010 at 01:28 AM
I think you are not quite right and you should still studying the matter.
Posted by: RamonGustav | September 01, 2010 at 08:37 AM
I think you are not quite right and you should still studying the matter.
Posted by: Buy_Viagra | September 17, 2010 at 11:10 AM
I think you are not quite right and you should still studying the matter.
Posted by: Buy_Viagra | September 17, 2010 at 09:30 PM
a down-and-dirty assessment of the strengths, limits and dangers of our current security compliance system. Even if they did shift blame a little.
Posted by: cna classes | September 25, 2010 at 04:04 PM
protect themselves and their consumers. She also said new security technologies and practices are needed—ASAP:
Posted by: medical billing | October 02, 2010 at 08:12 AM
Every body acknowledges that our life seems to be expensive, but some people require cash for various stuff and not every one gets big sums money. So to receive good loans or sba loan should be a proper way out.
Posted by: DANIELS28Phoebe | October 09, 2010 at 10:20 AM
cialis soft generic cialis soft order cialis soft tab description cialis soft tab india cialis soft tablets cialis soft tabs 10 mg cialis soft tabs bestseller cialis soft tabs online cialis soft top cialis softabs cialis softabs generic cialis softtab how works cialis softtabs online
Posted by: Hot_cialis | October 30, 2010 at 06:44 PM
buy cialis buy cialis at a discount buy cialis brand buy cialis by the pill buy cialis canada buy cialis cheap buy cialis cheaper online buy cialis mexico buy cialis omline buy cialis online 20mg buy cialis online site buy cialis online viagra buy cialis pharmacy buy cialis pills generic
Posted by: Hot_cialis | October 31, 2010 at 01:26 AM
cialis tadalafil cialis tadalafil 100mg cialis tadalafil 20 mg cialis tadalafil american express cialis tadalafil canada cialis tadalafil cialis tadafil tal cialis tadalafil reviews cialis tadalafil viagra cialis tadalafil work cialis the dangers fda cialis the sex pill cialis to buy
Posted by: Hot_cialis | October 31, 2010 at 07:42 AM
Life is a struggle, accept it.
Posted by: Air Jordans | November 11, 2010 at 07:47 PM
Later road, we walk together!
Posted by: air max 90 | November 12, 2010 at 07:46 PM
This was an age of innocence and happiness.*
Posted by: coach outlet | November 13, 2010 at 03:54 AM
Good suggestions as usual!
Posted by: nike air max | November 13, 2010 at 03:55 AM
*Well, that makes sense!
Posted by: Air Jordan | November 16, 2010 at 07:44 PM
oh, I really like the style of your writing!
Posted by: moncler jackets | November 16, 2010 at 10:47 PM
cialis soft generic cialis soft order cialis soft tab description cialis soft tab india cialis soft tablets cialis soft tabs 10 mg cialis soft tabs bestseller cialis soft tabs online cialis soft top cialis softabs cialis softabs generic cialis softtab how works cialis softtabs online
Posted by: RX-order | November 21, 2010 at 11:08 AM
You write well will be waiting for your new publications.
Posted by: Antivirus_man | December 06, 2010 at 04:16 PM
The new year is already knocking at the door, let it will bring only happiness and joy.
Posted by: Antivirus_man | December 06, 2010 at 11:44 PM
I liked your site, you are very interesting to write. Merry Christmas and Happy New Year!
Posted by: Antivirus_man | December 07, 2010 at 07:14 AM