Unobtrusive until now, a set of unrelated security requirements is about to become pretty unpopular, and costly.
The new directives include a regulation on tracking cookies from the European Union; Securities and Exchange Commission guidance on the need for banks to cover cybersecurity and risk issues in their quarterly reports; and acknowledgement from the Federal Deposit Insurance Corp. that bankcard issuers should comply with Payment Card Industry data-security standards created by MasterCard Worldwide, Visa Inc., Discover Financial Services and American Express Co.
Bankers take issue with the PCI mandate in particular. The card brands designed PCI data security standard to protect card data at any organization that handles the information, and industry enforcement has focused primarily on merchant acquirers, not card issuers. For a large bank, the cost of becoming PCI-compliant and then to validate that status could cost hundreds of thousands to millions of dollars, says Avivah Litan, a vice president and distinguished analyst at Gartner.
First State Bank of Barboursville, W.Va., issues credit cards, but it does not process or store the data. Applying a specific security standard to the bank's payment card silo makes no sense, the issuer says.
"PCI is prescriptive and sets a minimum level of security, but it does not protect the banks long term," says Sam Vallandingham, First State chief information officer and vice president.
Banks generally have security procedures in place across the enterprise that are much stronger than an industry standard primarily geared to merchants, Vallandingham says.
The FDIC does not enforce PCI as a law or regulation, the agency said in an email where it also noted that PCI is a self-regulatory framework. But it said PCI's "requirements for protecting sensitive consumer/customer information are consistent with the requirements of the (Gramm-Leach-Bliley Act) 501(b) Information Security Standards, for which the FDIC is responsible."
In a Jan. 31 letter, the FDIC laid out its expectations when it comes to relationships banks have with credit card processors, but it did not mention PCI.
"No one is enforcing PCI at the banks, but they are expected to be compliant, and some examiners think they should enforce it," Litan says.
Generally speaking, the card brands expect only banks or bank processors that connect directly to their transaction networks to validate compliance. Though all parties that partake in card transactions are expected to be compliant, actions are rarely taken against issuing banks, experts say.
However, requiring issuers to be PCI-compliant might help because the standards have reduced total card fraud, experts say.
"This is taking best practices for one industry and leveraging it across the broader banking spectrum," says Julie Conroy McNelley, a senior analyst and fraud expert for Aite Group.
A Visa spokesperson declined to comment because of the lack of official written guidance from the FDIC on PCI.
A MasterCard representative wrote in an email that "MasterCard continuously monitors its rules and guidelines related to PCI and other industry standards."
"Should federal regulations require MasterCard to revise its rules or standards, it would do so accordingly," the representative wrote.
While the FDIC has been discreet about the need for banks to be PCI-compliant, the SEC has been explicit about what it expects from banks when it comes to discussing cybersecurity and risk in quarterly filings.
A disclosure item from October says banks should, among other things, describe "cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences" as well as "risks related to cyber incidents that may remain undetected for an extended period."
This raises questions about how much to report and when to report it, particularly if a bank is in the middle of its own investigation of a cyber break-in.
"The most significant impact of this guidance is that it takes cybersecurity, which is traditionally viewed as an IT or [chief information officer] issue, and makes it a boardroom issue," says Gerald J. Ferguson, national co-leader of Baker Hostetler's privacy, security and social media team in New York.
In Europe, regulators are moving on other fronts. A European Union electronic privacy directive that went into effect last year requires banks that do business overseas to notify their online-banking customers about their use of tracking cookies. Banks must explicitly ask their customers to opt into receiving cookies.
Enforcement will start in late May, Ferguson says.
"The EU authorities are taking the position that if you are placing code on the browser of the user located in Europe, you have given them jurisdictional" authority, Ferguson says.
Besides being a hassle, requiring an opt-in might create security issues, experts say.
One of the biggest benefits of using cookies is in security, McNelley says. Cookies assist with device detection, a valuable component in the fight against fraud.
Banks "will have to give every consumer a way to choose, and explain the value of the tracking, and that is not always easy to do," McNelley says.