Thursday, April 2, 2009
"All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud," National Retail Federation Senior Vice President and Chief Information Officer David Hogan said in a March 31, 2009, hearing before the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.
"But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place," Hogan said. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Although Visa Inc.'s and MasterCard Worldwide's rules do not explicitly require merchants to maintain card information, Hogan argued that merchants feel obliged to keep receipts in the event of chargebacks. The card brands need to change their approach to data security, he insisted.
"PCI is little more than an elaborate patch," Hogan told the panel. "While PCI can reduce some fraud – at extraordinary cost – it is not nearly as effective as a redesign of the card processes themselves."
Rep. Bennie G. Thompson, D-Miss., Chairman of the House Committee on Homeland Security, expressed concerns about the reliance many place on the PCI DSS. "The essential flaw with the PCI standard is that it allows companies to check boxes, but not necessarily be secure," he said. "Checking boxes makes it easier to assess compliance with a standard. But compliance does not equal security."
Thompson chided bankers and retailers, alike, for making it seem like PCI is a panacea, and he questioned the ongoing viability of industry-created and enforced standards, "particularly if they are inadequate to address ongoing threats."
Nearly every expert who testified at the hearing described thefts of card data as a major source of funding for international terrorists.
"We know, for example, that drug traffickers engage in identity theft for the purpose of financing their activities," said Rita M. Gavin, Acting Assistant Attorney General for the Criminal Division at the U.S. Department of Justice.
"Similarly, there is a well-documented connection between identity theft – in particular as it relates to obtaining fraudulent identification documents, but also as it may relate to credit card fraud – and terrorism," she added.
Gavin asked lawmakers to consider laws that would require breached organizations to promptly notify law enforcement. "While companies like Visa require, by policy, that all entities that suspect or have confirmed that a security breach occurred must contact federal law enforcement, few laws require the victim company to notify law enforcement," she noted.
W. Joseph Majka, Head of Fraud Control and Investigations at Visa, explained to lawmakers that the card company had never intended the PCI DSS to be a standalone solution. Additionally, Majka said Visa is doing what it can to eliminate any need for card data storage by merchants and processors, and that in all card data breaches to date someone dropped the ball on network security – and it wasn't Visa.
"While there have been a few instances where an entity that previously validated compliance was the victim of a compromise, in all compromise cases our review concluded that gaps in the compromised entity's PCI DSS controls were major contributors to the breach," Majka said.
"Visa recognizes that no set of standards can provide an absolute guarantee of security in a changing world, and PCI DSS is not an exhaustive list of all the security practices that may be effective to safeguard card data," he added.
"Validating PCI DSS is a major milestone, but achieving and maintaining compliance requires companies to make an ongoing commitment to keeping consumers' data safe – 24 hours a day, seven days a week, 365 days a year."
Majka went on to say that while "it is easy to focus on the failures that some entities have had with ongoing compliance, we believe it is likely many compromises have been prevented as a result of the strenuous efforts of merchants and processors to maintain compliance with PCI DSS."
Meanwhile, on the other side of Capitol Hill, Senate Banking Committee Chairman Chris Dodd, D-Conn., secured a narrow victory for legislation he said he's been trying to get passed for more than a generation.
S 414, the Credit Card Accountability Responsibility and Disclosure Act of 2009 (the Credit CARD Act) would forbid several common issuer practices, such as "any time, any reason increases in interest rates," Dodd explained in remarks to the committee. The bill also asks the U.S. General Accountability Office to study the effect of interchange fees on merchants and consumers.
"I’ve been working on reforming credit card practices for more than 25 years," Dodd said. "For many years, our efforts have fallen on deaf ears. But not this time. This is the moment for credit card reform."
S 414 was approved by a committee vote of 12 to 11.
The House Committee on Financial Services Subcommittee has scheduled an April 2 vote on the Cardholders Bill of Rights, HR 627. The bill is identical to legislation that got approved by the full House during the last Congress, but died in the Senate.
HR 627 contains no provisions concerning interchange. However, in remarks to the subcommittee on April 1, 2009, Rep. Ron Klein, D-Fla., urged colleagues to take up interchange legislation.
"I am concerned that small businesses are being hurt by these fees, particularly in the current economic climate," Klein said. "I am also concerned that large interchange fees create an incentive for banks to issue as many credit cards as possible, without regard to the credit risk of consumers."
Dodd voiced similar concerns during a recent Senate Banking Committee hearing, and the Merchants Payments Coalition has raised the issue in its latest push for interchange reform. The MPC represents an amalgam of merchant trade associations and lobbies extensively against what it calls "unfair" merchant acquiring fees.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
