All About the PCI Data Security Standard
More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.
April 12, 2007 — CSO — In mid-December 2006, just as Visa was announcing a $20 million incentive to try to hurry compliance with the credit card industry’s data-security standard, a consultant for TJX was discovering precisely the sort of breach that the standard is supposed to prevent.
An undisclosed number of transaction records from TJ Maxx, Marshalls and other TJX stores had been compromised. “Removed” by intruders, even. Exactly which records, when and by whom, the $16 billion retailer was unsure, although The Wall Street Journal later put the number of affected credit cards at more than 40 million. Behind the scenes, TJX executives began working with law enforcement and additional outside security experts to try to identify and fix the problem, prior to a January announcement of the breach.
Meanwhile, in San Francisco, Visa was going public with an announcement of its own. Technically, if its merchants aren’t compliant with the Payment Card Industry (PCI) Data Security Standard, Visa can cut off their ability to accept Visa cards—a death sentence for commerce. Despite deadlines that had come and gone, however, only 36 percent of Visa’s largest merchants were following the rules. So starting in April, banks whose retail customers were in compliance and had not suffered security breaches would be eligible to receive funds from a pool of up to $20 million. In addition, Visa warned, it would increase fines to banks whose retail customers were not compliant and make PCI certification a requirement for some pricing discounts.
As far as Visa is concerned, the standard is working—if only merchants would adopt it. “To date we have not seen that a PCI-compliant entity has been compromised,” Eduardo Perez, vice president for payment system risk at Visa, told CSO in January. Although he would not comment on the TJX incident specifically, he continued: “In every instance we’ve dealt with, compromised entities have not been compliant with PCI.”
For critics, however, the TJX breach proves something else entirely. “It’s a perfect example of where the PCI program is not working,” says Avivah Litan, vice president and research director at Gartner. “It’s a good step. It’s good for the card brands to enforce security, but it’s impractical to expect 5 million retailers to become security experts.”
In reality, the TJX breach is not so much an example as it is a test. Corporate America has long insisted that self-regulation, not government intervention, is the cure for what ails information security. Government regulations, they claim, tend to be poorly crafted and difficult to enforce; they turn into needlessly expensive exercises in bureaucratic paperwork. In response to the threat of such legislation, industry sectors have attempted to police themselves by establishing either voluntary guidelines or ones imposed by business partners. (See “Security Standards for Power Companies.”)