Congress is hearing two sides to the story about the role the card networks' Payment Card Industry data security standard has in fighting fraud.
Executives from the PCI Security Council, which maintains the standard, and the National Retail Federation will testify in front of Senate and House committees in Washington, D.C. as government officials review policies and procedures for safeguarding consumers' financial data.
PCI and the NRF agree that government can lend support through tougher law enforcement and possibly establishing standards to assure organizations that suffer breaches would share information about how they occurred with other companies. And they agree that multiple layers of defense are needed to thwart fraud.
But they mostly disagree about the role the PCI council should have in the process, especially as it relates to providing standards and policing merchants through compliance testing.
"Retailers are essentially at the mercy of the dominant credit card companies when it comes to protecting payment card data," says Mallory Duncan, general counsel for the National Retail Federation, in prepared testimony he is expected to give Feb. 3 to the
the Senate subcommittee on national security and international trade and finance.
The NRF does not view the card brands and PCI as a major fraud deterrent, Duncan says.
The networks and PCI data security council have good intentions, Duncan says, but their standards "have not worked quite as well in practice."
"PCI has in critical respects over time pushed card security costs onto merchants even when other decisions might have more effectively reduced fraud or done so at lower cost," Duncan says.
Merchants are expected to annually demonstrate PCI compliance to the card networks, often at considerable expense, Duncan says. However, certification by the networks as PCI compliant "apparently has not been able to adequately contain the growing fraud," Duncan adds.
The PCI council has a different view. The council and its participating organizations are "right in the middle of this and in the best position to drive" a fight against fraud, says Bob Russo, general manager of the PCI Security Council, in an interview. Russo will testify Feb. 5 before a subcommittee of the House Energy & Commerce Committee.
Ultimately, Congress cannot get involved in setting industry standards because data security is a global problem, Russo says.
"It takes PCI a three-year cycle to establish new standards and I am sure Congress doesn't want that undertaking," Russo adds. "If Congress tried to set standards, the rest of the world would just say, 'OK, that's an American standard and doesn't apply to us.'"
The PCI Council intends to keep its message clear that the federal government can help protect card data in U.S. payments networks by more aggressively investigating and ultimately arresting cybercriminals in data breach cases, Russo says.
In addition, merchants and security providers would benefit if the government supported standards for the industry to share information about how data breaches occurred, Russo adds.
"It takes people, processes and technology," he says.
In the wake of breaches at Target and other major retailers, many experts have debated whether EMV-chip cards could improve security enough to prevent similar incidents. "We want to make it clear to Congress that we support the EMV chip, but by itself it is not enough," Russo adds.
Merchants, card networks and security vendors would like to see information about breaches shared so that "we can plug the holes right away," Russo says.
PCI chief technology officer Troy Leach is scheduled to testify at today's hearing.
Leach is expected to make similar points in the Senate hearing, including the PCI council's support of methods such as encryption and tokenization to obscure card data when it is in use.
"These technologies can dramatically increase data security at vulnerable points along the transactional chain," Leach states in a preview of his testimony made available to the media. "Tokenization and point-to-point encryption remove or render payment card information useless to cyber criminals, and work in concert with other PCI standards to offer additional protection to payment card data," Leach says.
The Clearing House weighed in on the hearings through a statement to the press, arguing that the entire payments ecosystem should embrace tokenization to protect consumers.
The Clearing House also points out that EMV chips are meant to prevent the counterfeiting of physical cards, and provide less protection for online payments. In addition, the organization says EMV would not have prevented the theft of customer account numbers that occurred in the recent retail breaches.