PCI Council says government should stay out of payment card standards

Despite several high-profile security breaches at major retailers, the government should let the private sector continue to set the rules for protecting credit- and debit-card data, a standards body says.

Bob Russo, general manager for the Payment Card Industry (PCI) Security Standards Council, was scheduled to tell a congressional committee Wednesday that it's unlikely any government agency could duplicate "the expansive reach, expertise and decisiveness of PCI," referring to the standards set by the council.

"High profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations," Russo said in an advance copy of his prepared remarks.

"Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI standards."

Russo was one of several industry experts scheduled to testify before a subcommittee of the House Energy and Commerce Committee. Other congressional panels have been looking into the data breaches recently disclosed by Target, Neiman Marcus, Michaels Stores and more recently, White Lodging.

The hotel management company warned Monday that the electronic cash registers in its restaurants and lounges on 14 of its properties might have been compromised during most of last year. The company manages hotel franchises under nationwide brand names such as Hilton, Marriott, Sheraton and Westin.

The string of data breaches has drawn the attention of lawmakers who are asking the payment card industry, retailers and security experts to explain the processes used to protect consumers. On Monday, executives from Neiman Marcus and Target testified before the Senate Judiciary committee.

The attackers who stole card data from Target and Neiman Marcus used malware that snatched the data from the memory of cash registers, called point-of-sale (POS) systems, before the information was encrypted.

The latest version of the council's standards for POS systems require retailers to perform a default reset every 24 hours to remove any malware that could reside in memory, Russo said.

The council also supports deployment of smart cards that have an embedded chip, making it much more difficult for criminals to create counterfeit credit cards with stolen data. The so-called EMV chips are widely used in Europe, while in the U.S. the credit-card industry uses cards with less secure magnetic stripes.

The use of smart cards would require expensive changes to hardware and software, so the retail, banking and credit card industries have been fighting for years over who will pay for the transition. However, credit card companies are starting to issue such cards when consumers ask for it.

Russo pointed out that EMV chips, while useful for security, would not prevent the use of credit card numbers online. They also would not have prevented the recent data breaches.

"EMV chip technology could not have prevented the unauthorized access, introduction of malware, and subsequent exfiltration of cardholder data," he said.

While government should stay out of setting standards, it could help deter payment card fraud through stronger law enforcement efforts worldwide. In addition, Congress could pass stiffer penalties for such crimes.

Government could also simplify data breach notification laws and promote cyberattack information sharing between the public and private sectors.

"These are all opportunities for the government to help tackle this challenge," Russo said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place