In the wake of the recent high-profile security
breaches at payment processors Heartland Payment Systems and RBS
WorldPay, the issue of whether the Payment Card Industry Data
Security Standards (PCI DSS) are stringent enough is becoming so
contentious that it has now reached the upper echelons of US
politics.

 

A hearing on 31 March, held by a
sub-committee of the House Committee on Homeland Security, pitted
retailers and payment industry representatives against each other
in an argument over the roles that payment industry players should
play when it comes to protecting cardholder data.

Democratic representative Yvette Clarke,
chairwoman of the sub-committee, said: “I do want to dispel the
myth once and for all that PCI compliance is enough to keep a
company secure. It is not, and the credit card companies
acknowledge that.”

Retailer representatives also argued that
PCI rules were designed from the perspective and for the benefit of
payment card players, rather than the merchants and financial
institutions which bear the brunt of fraud attacks. David Hogan,
chief information officer at the National Retail Federation, told
the hearing that PCI DSS was little more than a tool to shift
financial risks and liabilities off bank and card company balance
sheets and onto merchants.

The row over the adequacy of PCI DSS is
giving new impetus to those who would like the US to adopt EMV
technology as Europe, Asia-Pacific and Canada have done.

Clarke told the hearing: “One breached
company noted that ‘the effectiveness of data security standards is
inherently limited by the technology base of US credit and
signature debit card processing networks. Credit and signature
debit transactions are not protected by encrypted PINs.
Implementation of encrypted PINs for all credit and debit card
transactions could be useful.’”

However, Robert Russo, general manager of
the PCI Council, refuted criticisms, saying that PCI DSS rules are
effective and are based on an industry-wide consensus with input
from all stakeholders. Russo said that PCI compliance was dependent
upon continuous vigilance on the part of organisations implementing
it.