The Payment Card Industry Data Security Standard (PCI DSS) is ineffective and major payment processing infrastructure improvements are needed to secure credit and debit card transactions, lawmakers said Tuesday.
The House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology, part of the House Committee on Homeland Security, held a hearing in Washington, D.C., on Tuesday to examine the effectiveness of PCI DSS.
"The bottom line is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now," said U.S. Rep. Yvette Clarke (D-N.Y.), who chairs the subcommittee. "The payment card industry and issuing banks need to commit to investing in infrastructure upgrades here in the United States."
Clarke called on the industry to implement encryption on its credit and debit card processing networks and said the deployment of chip and PIN technology could significantly reduce the amount of stolen payment data. Chip and PIN technology is used in Asia and Europe. The technology replaces the magnetic strip on the back of a card and adds a four-digit personal identification number (PIN) to confirm a payment.
PCI Council officials mull latest breaches (Security Wire Weekly podcast) PCI
Council general manager Bob Russo talks about the latest data breaches.
PCI QSA assurance program penalizes assessors: Two firms certified to conduct PCI assessments have been placed into the PCI Council's remediation program for violating the QSA Validation Requirements.
PCI DSS also came under fire from Dave Hogan, senior vice president and CIO of the National Retail Federation and Michael Jones, CIO of Michaels Stores Inc. Jones called the standard "ripe with ambiguity and complexity" and said it has been confusing to many merchants seeking compliance. Hogan said that while the standard urges retailers to discard credit card data, many are under pressure from issuing banks to retain transaction identifying data to handle payment disputes.
"In our view, if you peel off all the layers around the PCI Data Security Standards, you will see it for what it is in significant part, a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others," Hogan said. "It is their payment card system and retailers -- like consumers -- are just users of their system."
Rita Glavin, acting assistant attorney general at the Department of Justice's criminal division called for retailers and the payment industry to increase cooperation with law enforcement agencies to help speed investigations and track down cybercriminals.
"I think the standards are a great bottom line to start with, but you have to be constantly watching, testing and checking them because hackers are sophisticated," Glavin said.
During a line of questioning on how the standard is enforced, subcommittee member Rep. Ben Ray Lujan D-N.M., came to the conclusion that improvements are needed to ensure that compliance is an ongoing process.
"In this case there is no one really overseeing this," Lujan said. "I think we all agree to certain point that the system we have today is not working."
Bob Russo, general manager of the PCI Security Standards Council defended PCI DSS as the payment industry's best effort to protect card holder data and safeguard against fraud. The council meets with members to review areas within the standard that need improving. Russo said the council is investigating emerging technologies such as chip and PIN and end-to-end encryption, but currently the cost of implementation is a factor.
"We agree that encryption is a good thing," Russo said. "But encryption is an expensive proposition… if we make this mandatory in the standard there are a number of merchants that will not be able to afford this immediately. If you are following the standard religiously it is not needed."
Subcommittee member Rep. Dan Lungren (R-Calif.) praised the payment card industry for investing resources into the data security standard, during his opening remarks.
"If we're unable to secure our online financial transactions from cybercriminals then our economic growth will be jeopardized," he said. "We recognize that it's a real challenge to stay ahead of the bad guys."