Visa Inc.'s top risk management executive Thursday dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure.
Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly."
Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year.
"I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" - and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.
Richey's defense of PCI DSS and criticism of Heartland come as Visa, which has taken the lead among credit card companies in seeking to enforce the standard, is itself facing some criticism over its enforcement actions.
For instance, some analysts have been critical of the so-called probationary period that Visa has imposed on Heartland, saying that designation - which requires the payment processor to meet more stringent security requirements than usual - appears to have been created purely in response to the Heartland situation. Some also see Visa's insistence that Heartland and RBS WorldPay weren't compliant with PCI DSS when the breaches occurred as an attempt by the credit card company to protect itself legally and prevent the payment processors from using PCI as a shield against breach-related lawsuits filed by banks and credit unions.
In addition, questions are being raised about what exactly it takes to remain fully PCI-compliant at all times. "It's easy to find somebody to be in noncompliance if that is the primary goal" of an audit, said David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.
In an interview earlier this week about Visa's removal of Heartland and RBS WorldPay from its PCI-compliant list, Taylor said that auditors are bound to find problems if they really want to. "It's easy to go in and say, 'You don't have this patch, or you didn't centralize your logs,'" he said.
During a panel discussion after Richey's talk at the Visa summit today, Dan Roeber, vice president and manager of merchant PCI compliance at Fifth Third Bancorp, said there are "lots of moving parts" in the PCI standard - a situation that sometimes can make complying with the rules a challenge, he added.
Roeber called for Visa and other credit card companies to give merchants more flexibility in implementing security controls based on the specific risks that they face in their own environments. He also said PCI Security Standards Council LLC, the organization responsible for administering PCI DSS, "needs to do a more thoughtful job" and "get as much risk-oriented language as possible" into the rules in order to make them more digestible for companies trying to figure out why
Post new comment