- Is Microsoft preparing us to move beyond Vista?
- Why Google wanted to lose wireless spectrum auction
- iPhone shortage fuels rumors of imminent 3G phone
- XP for cheap PCs: a second crack in the wall
- Darts into data: Leveraging random action to competitive advantage
- Most iPhone buyers are existing Apple customers
- AT&T's so-called open network principles
- Mono dev tool offered
- ActiveState upgrades IDE
- Serena plans SaaS products
October 05, 2007 | Comments: (0)
PCI and other breach laws under assault
The retailers are finally fighting back.
Yesterday the National Retail Federation publicly blasted the Payment Card Industry Data Security Standard, issuing a statement that pushes the responsibility for the storage of sensitive customer data back on the card issuers themselves, the very same authors and enforcers of the mandate.
For those of you unfamiliar with PCI, it's the data-handling regulation cooked-up by the financial institutions that issue credit and debit cards (AMEX, Visa and MasterCard for starters) that requires anyone who processes their plastic to get their IT security systems up-to-snuff to prevent more leakage incidents like the one experienced by TJX Companies.
"With this letter, we are officially putting the credit card industry on notice," said NRF CIO David Hogan in the missive. "Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place."
According to NRF, credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy 'card company retrieval requests."
If retailers were given the choice to end the process of storing such customer data, they could lower their own risk and ensure greater consumer security, according to Hogan.
Strong words, but one has to wonder why the NRF hasn't been making noise about PCI sooner.
After all, the deadline for retailers to become PCI DSS compliant was the end of last week, and the regulation has been out there for almost years. The PCI Security Standards Council has been working on the mandate since forming in late 2004.
And wasn't it just a few years ago -- before ChoicePoint, TJX and everyone else -- that we were reading about all the ways that retailers were going to use the details stored in their CRM systems to create detailed electronic profiles of us all?
It does seem like the data breach issue has forced a turnabout in perceptions of data gathering and mining -- PCI or not.
NRF says further that credit card companies and their banks should provide merchants with the option of keeping no more than authorization code data provided at the time of a transaction along with a "truncated receipt," versus storing the card info.
"If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished," said Hogan. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Is it all too little too late? Lucky for NRF, it would appear that the ship hasn't truly sailed on PCI.
According to some experts, many retailers and card processors are still way behind in terms of getting in line with the regulation from a technological standpoint -- with some companies apparently willing to take a wait-and-see approach to dealing with potential audits and fines.
The issue of data-handling legislation is becoming decidedly more controversial nationwide. However, while a long list of related bills sits on Capitol Hill waiting to pass through various committees and in various states of progress, states continue to push forward.
As I noted in a blog two weeks ago, California is on the cusp of signing a far more aggressive piece of legislation into affect than the state's oft-referenced 1386 breach notification bill, which forced companies to begin reporting their data incidents publicly. Almost 40 other states have subsequently passed similar legislation.
The new bill, Calif. AB 779 -- which would require merchants who experience data incidents to pay back any expenses incurred by banks and card companies for re-issuing cards to affected customers -- has already passed through the state's legislature and is sitting on Gov. Schwarzenegger's desk awaiting approval -- which many have said it will receive.
Retailers in the state are predictably up in arms over the bill.
Benjamin Wright, author of several books on technology law, including "The Law of Electronic Commerce" and "Business Law and Computer Security," responded to my blog by pointing out that many retailers feel the language of 779 is ambiguous and will place to much of a burden on merchants.
Wright said in his own blog that the law would also make it nearly impossible for e-commerce companies to do business processing credit cards if it is translated in a certain manner.
"This scheme for imposing liability does not seem fair or rational," said Wright. "It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection."
On Capitol Hill, lobbyists say that interest in the dozen-odd data measures sitting in various committees continues to wax and wane.
"One month people show more interest, but then it lags again," said one Washington-based IT and security industry lobbyist who asked not to be named. "The committees seem to make progress but then they get distracted by other things. It's one of those things where a lot of these bills might get done this session, or maybe they won't get done at all."
The lobbyist said that there are a variety of sticking points for the individual pieces of legislature, from the wording of the measures, to debate over to what extent national laws need to pre-empt exiting state measures.
With a bill sitting in the Senate's Judiciary Committee that includes penalties including 5 years in jail for those who are responsible for failing to prevent breaches, it would seem the debate over credit card customer data is only just beginning to get interesting.
Stay tuned.
Posted by Matt Hines on October 5, 2007 09:34 AM
RATE THIS ARTICLE:
-
- COMMENTS
The consensus of speakers at the just-concluded Real Security Summit is that the future of credit card payments depends on systems that remove useable card data stored anywhere at the merchant level. "The technology exists to achieve real security by taking card data out of merchant systems," said J. David Oder, CEO of Shift4 Corporation, which sponsored the Summit. "Hackers and bad guys will always be on the attack, so the prudent approach is to minimize risk by not storing data in merchant systems."
What was described by Jonathan Rusch of the U.S. Department of Justice as a "global security epidemic" is fueled by terrorist groups and organized crime turning to credit card fraud as a ready source of cash. "Terrorists are always learning and exploiting the system. The key is to stop the problem at its source," said Dennis Lormel, a former FBI white collar crime expert now with Corporate Risk International.
Merchants and other Summit attendees were urged by several speakers to assume that someone will try to penetrate their system and to choose payment processing that outsources the risk by not storing any credit card data at the merchant level. According to Dr. Heather Mark, Principal, The Aegenis Group, there is a difference between a security breach – when a hacker penetrates a system – and a data breach in which card data is compromised. "A security breach is never a good thing, but the public is really affected only when their personal data is taken," she said.
With the possibility of heavy penalties and customer backlash in the event of a data breach, merchants were urged to investigate new technologies that go beyond complying with standards to create real security that can be sustained. "Security is paramount," said Oder. "Compliance is really a byproduct of a commitment to security."
NRF proposes the innovative solution of requiring merchants to store just 'authorization code' and 'truncated receipt'. This is the kind of creative thinking the industry needs. However, this solution might be illegal under California's pending Assembly Bill 779. The words of AB 779 are unclear and poorly defined. For example, AB 779 would forbid a merchant from storing various data elements such as 'payment verification code' and 'payment verification value'. The legislation does not define these terms, and my research finds no clear industry definitions for these terms. (Part of the issue is that different industry players use different words. Further, neither PCI version 1.1 nor its Glossary defines 'payment verification code' or 'payment verification value'.) Therefore, AB 779, if it becomes law, would cause confusion and roadblocks as the industry changes and technology evolves. Parties would not know whether the good data elements they want to store will later in court be interpreted as the data elements AB 779 bans from storage. --Benjamin Wright, Dallas, Texas
Posted by: Benjamin Wright at October 11, 2007 07:49 AMTOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
