All Top Banking

PCI Standards Again Questioned in Wake of New Breach

Posted by John B. Frank Friday, April 11, 2008

Interestingly, the brick and mortar world, (the one chock full of PCI Standard compliance demands), seems less secure than the Online world. Yet online retailers pay exhorbitantly higher fees than brick and mortar retailers. Card Not Present transactions are certainly higher risk transactions, but HomeATM's Internet PIN Debit platform, combined with their PIN Entry Device (PED) could cut risk significantly and thus save online retailers 100 basis points off their Interchange fees.

In yet another breach, this one from Advanced Auto Parts, Retail Wire questions whether or not we should move to Chip and PIN based transactions.

Here's the discussion in today's Retail Wire...

And yet again, an American retailer and its customers go down the road of data theft. In this case, the retailer is Advance Auto Parts and the most recent hack affected 56,000 of its shoppers in eight states - Georgia, Indiana, Louisiana, Mississippi, New York, Ohio, Tennessee and Virginia. Luckily, the customers from the stores in question represent a small portion of the total shoppers that frequent the chain's 3,261 stores across the country.

The discovery of the breach, as with those at other retailers, has prompted Advance to reassess its security measures. Others, at the same time, are once again questioning if Payment Card Industry (PCI) compliance standards are either fair or effective.

In a recent interview with RIS News, Dave Hogan, senior vice president and chief information officer with the National Retail Federation (NRF), expressed the view that more secure forms of payment such as "Chip & Pin" were available and proven in reducing fraud. He suggested that card associations should "provide (at no cost to the merchant) card readers that can accept these new types of cards."

Mr. Hogan also took issue with the amount of data that merchants are required to keep by banks. He called on financial institutions to "state that 'Retailers have the option to no longer store credit card data and they will not be penalized for not keeping credit card data."

To read the Retail Wire discussion, click here. I'm sure it will garner a lot of responses. Here is one from Evan Shuman, former eWeek contributor and StoreFrontBackTalk Editor:

To answer your question, yes, Hogan's concerns are quite reasonable. Much of this, though, is a lot of agreement on the easy issues. There are few who truly argue with the following:

1) PCI is not perfect and retailers who are fully compliant are still fully vulnerable. Even PCI's backers agree with this. PCI was never intended to be perfect security. PCI was never intended to be anything beyond a good starting point.

2) PCI has absolutely improved retail security today. Again, this is pretty much done unanimous. It's not gone nearly far enough, but any movement forward is good.

3) Banks are, for the most part, much better choices than retailers to store sensitive payment data. Again, no one ultimately quarrels with this. The issue involves infrastructure, politics and business costs. To make this transition would require tons of agreement from people who are not motivated to make such agreements. So arguing that it's better doesn't help much if it can't be done given the powers that be.

4) Chip and PIN is more secure than what much of the U.S. is doing. True. But Chip and PIN--as it's deployed in the U.K.--also has many issues. Making the transition would be costly, would meet with substantial infrastructure resistance AND it would still retailers far more exposed than is desirable. For the same extreme effort and cost, we could probably come up with a more secure approach.

It's also true that if all retailers strictly adhered to the common-sense rules (no default passwords, examine traffic logs routinely and seriously, strictly enforce procedures, etc.), we'd also be far better off.

This, however, doesn't address the Hannaford scenario where--based on currently available information--we have a retailer that indeed appeared to abide by all of the rules and still got burned by some aggressive cyber thieves. That's the more rare but far more frightening scenario.

Evan Schuman, Editor, StorefrontBacktalk.com

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio