PCI Council says government should stay out of payment card standards

Despite several high-profile security breaches at major retailers, the government should let the private sector continue to set the rules for protecting credit- and debit-card data, a standards body says.

[PCI DSS 3.0 is an evolution, not a revolution]

Bob Russo, general manager for the Payment Card Industry (PCI) Security Standards Council, was scheduled to tell a congressional committee Wednesday that it’s unlikely any government agency could duplicate “the expansive reach, expertise and decisiveness of PCI,” referring to the standards set by the council.

“High profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations,” Russo said in an advance copy of his prepared remarks.

“Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI standards.”

Russo was one of several industry experts scheduled to testify before a subcommittee of the House Energy and Commerce Committee. Other congressional panels have been looking into the data breaches recently disclosed by Target, Neiman Marcus, Michaels Stores and more recently, White Lodging.

The hotel management company warned Monday that the electronic cash registers in its restaurants and lounges on 14 of its properties might have been compromised during most of last year. The company manages hotel franchises under nationwide brand names such as Hilton, Marriott, Sheraton and Westin.

The string of data breaches has drawn the attention of lawmakers who are asking the payment card industry, retailers and security experts to explain the processes used to protect consumers. On Monday, executives from Neiman Marcus and Target testified before the Senate Judiciary committee.

The attackers who stole card data from Target and Neiman Marcus used malware that snatched the data from the memory of cash registers, called point-of-sale (POS) systems, before the information was encrypted.

The latest version of the council’s standards for POS systems require retailers to perform a default reset every 24 hours to remove any malware that could reside in memory, Russo said.

[Major attacks on retailers cast spotlight on higher security cards]

The council also supports deployment of smart cards that have an embedded chip, making it much more difficult for criminals to create counterfeit credit cards with stolen data. The so-called EMV chips are widely used in Europe, while in the U.S. the credit-card industry uses cards with less secure magnetic stripes.

The use of smart cards would require expensive changes to hardware and software, so the retail, banking and credit card industries have been fighting for years over who will pay for the transition. However, credit card companies are starting to issue such cards when consumers ask for it.

Russo pointed out that EMV chips, while useful for security, would not prevent the use of credit card numbers online. They also would not have prevented the recent data breaches.

“EMV chip technology could not have prevented the unauthorized access, introduction of malware, and subsequent exfiltration of cardholder data,” he said.

While government should stay out of setting standards, it could help deter payment card fraud through stronger law enforcement efforts worldwide. In addition, Congress could pass stiffer penalties for such crimes.

Government could also simplify data breach notification laws and promote cyberattack information sharing between the public and private sectors.

“These are all opportunities for the government to help tackle this challenge,” Russo said.