House subcommittee debates card security standards

House subcommittee debates card security standards

Merchants may have federal support in protecting against card fraud

Credit card merchants may now have federal support in their efforts to do a better job protecting customers against credit card fraud.

A House subcommittee panel expressed doubt in a March 31 session that the current Payment Card Industry Data Security Standard (PCI DSS) Council requirements imposed on merchants significantly prevent electronic crimes.

"... I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure," said Rep. Yvette D. Clarke, chairwoman of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. "It is not, and the credit card companies acknowledge that."

The PCI standard is a set of security requirements placed on merchants who accept credit card transactions. The PCI DSS council says these requirements help prevent hacking, fraud, identity theft and other breaches of security, and include building and maintaining a secure network, setting cardholder data access policies, and monitoring and testing networks and procedures.

"The PCI Security Standards Council was allegedly spun off from the credit card companies and set up as an independent governing body of credit card companies, bank and merchant representatives," testified Michael Jones, senior vice president and chief information officer for National Retail Federation member Michaels Stores Inc. Jones went on to state that "the council is set up so that the credit card companies and banks retain all power over the ultimate standards, fines and anything else connected to PCI. Because of this, the standards do not represent what is the best security but rather what is best for the credit card companies and their financial institution partners."

According to Rep. Clarke, large merchants pay as much as $18 million a year to remain PCI compliant, with no guarantee that a merchant is fully protected. Clarke named the Heartland Payment Systems data breach as one example of PCI's shortcomings.

Visa and the PCI Data Security Standards Council maintain that no company that meets the full requirements of PCI has experienced a data breach, but a representative from Visa also said no system is a magic bullet for secure payments. "Visa recognizes that no set of standards can provide an absolute guarantee of security in a changing world, and PCI DSS is not an exhaustive list of all the security practices that may be effective to safeguard card data," said Joseph Majka, head of fraud control and investigations for Visa.

Dave Hogan, a National Retail Federation representative, argued that the best way to decrease vulnerabilities is to no longer require merchants to store credit card data in their systems. "Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software," said Hogan. "However, what is ironic in this scenario is that the credit card companies' rules require merchants to store, for extended periods, credit card data that many retailers do not want to keep."

While Visa and MasterCard do not legally require merchants to retain credit card numbers, if customers request  charge-backs on their credit cards, the retailer must produce valid credit card receipts. If the retailer can't present the receipt to the card issuer, a charge-back will be issued, but the amount is deducted from the merchant's account. Retailers are stuck in a Catch-22: Forced to choose between storing credit card numbers and placing themselves at risk of fraud, or not storing credit card numbers and being liable for charge-backs.

Rep. Bennie Thompson, chair of the Homeland Security Committee, said card companies are unwilling to take responsibility for PCI's weaknesses, preferring to "shift risk" to merchants in lieu of actually improving or replacing the standard. Thompson associated the lack of a better standard to credit companies writing the requirements in the first place. "We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they're inadequate to address the ongoing threat," Thompson said.

Robert Russo, general manager of the PCI Security Standards Council, said the standard is still a viable option in preventing or tracing cybercrime. "When breaches do occur, the Council works... to determine the root causes of the breach," said Russo. "If a need to strengthen the Standards or the Council's Assessment programs is identified, we have mechanisms in place for taking swift action."

Published: April 3,2023