Cybersecurity hearing highlights inadequacy of PCI DSS

By Robert Westervelt, News Editor 31 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Payment Card Industry Data Security Standard (PCI DSS) is ineffective and major payment processing infrastructure improvements are needed to secure credit and debit card transactions, lawmakers said Tuesday.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology, part of the House Committee on Homeland Security, held a hearing in Washington, D.C., on Tuesday to examine the effectiveness of PCI DSS.

"The bottom line is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now," said U.S. Rep. Yvette Clarke (D-N.Y.), who chairs the subcommittee. "The payment card industry and issuing banks need to commit to investing in infrastructure upgrades here in the United States."

Clarke called on the industry to implement encryption on its credit and debit card processing networks and said the deployment of chip and PIN technology could significantly reduce the amount of stolen payment data. Chip and PIN technology is used in Asia and Europe. The technology replaces the magnetic strip on the back of a card and adds a four-digit personal identification number (PIN) to confirm a payment.

PCI DSS: PCI Council officials mull latest breaches (Security Wire Weekly podcast) PCI Council general manager Bob Russo talks about the latest data breaches. PCI QSA assurance program penalizes assessors: Two firms certified to conduct PCI assessments have been placed into the PCI Council's remediation program for violating the QSA Validation Requirements.

PCI DSS also came under fire from Dave Hogan, senior vice president and CIO of the National Retail Federation and Michael Jones, CIO of Michaels Stores Inc. Jones called the standard "ripe with ambiguity and complexity" and said it has been confusing to many merchants seeking compliance. Hogan said that while the standard urges retailers to discard credit card data, many are under pressure from issuing banks to retain transaction identifying data to handle payment disputes.

"In our view, if you peel off all the layers around the PCI Data Security Standards, you will see it for what it is in significant part, a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others," Hogan said. "It is their payment card system and retailers -- like consumers -- are just users of their system."

Rita Glavin, acting assistant attorney general at the Department of Justice's criminal division called for retailers and the payment industry to increase cooperation with law enforcement agencies to help speed investigations and track down cybercriminals.

"I think the standards are a great bottom line to start with, but you have to be constantly watching, testing and checking them because hackers are sophisticated," Glavin said.

During a line of questioning on how the standard is enforced, subcommittee member Rep. Ben Ray Lujan D-N.M., came to the conclusion that improvements are needed to ensure that compliance is an ongoing process.

"In this case there is no one really overseeing this," Lujan said. "I think we all agree to certain point that the system we have today is not working."

SearchSecurity radio:

Bob Russo, general manager of the PCI Security Standards Council defended PCI DSS as the payment industry's best effort to protect card holder data and safeguard against fraud. The council meets with members to review areas within the standard that need improving. Russo said the council is investigating emerging technologies such as chip and PIN and end-to-end encryption, but currently the cost of implementation is a factor.

"We agree that encryption is a good thing," Russo said. "But encryption is an expensive proposition… if we make this mandatory in the standard there are a number of merchants that will not be able to afford this immediately. If you are following the standard religiously it is not needed."

Subcommittee member Rep. Dan Lungren (R-Calif.) praised the payment card industry for investing resources into the data security standard, during his opening remarks.

"If we're unable to secure our online financial transactions from cybercriminals then our economic growth will be jeopardized," he said. "We recognize that it's a real challenge to stay ahead of the bad guys."

Tags: PCI Data Security Standard,  Identity Theft and Data Security Breaches,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary