Banks and credit card security, where's the outrage?
The PCI-DSS, the ungainly acronym for payment card industry data security standards, has been roundly criticized as of late by government officials and industry executives. The Associated Press piles on with an investigation that has concluded that "the banks and other companies that handle your information are not being nearly as cautious as they could."
The article notes data from Privacy Rights Clearinghouse that more than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers. The failure of the PCI-DSS standard--many of the breached firms were in compliance--has been big news for a while now. Visa certainly has its work cut out for it as it aims to upgrade the standard.
The AP takes a look at the big "acquiring banks," as well--"the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant." The reporter attempted to discuss the issue with eight of these banks; most didn't return calls or wouldn't comment for this story.
One who did respond was Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase. He said "his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or email." Which on its face seems wholly inadequate.
It would seem that the big banks need to step up their game. An obvious starting point would be to better enforce PCI compliance, even if that means setting up new units.
New technology might also be part of the solution. The AP suggests "a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere--to places like the U.S. that don't have as many safeguards."
Banks might also think about encryption; you may be surprised to learn that sensitive data is not yet encrypted. Which allows criminals to capture "more data as it makes its way from store to bank, when breaches are harder to stop," explains the article. TJX Cos., which was victimized by a breach that exposed as many as 100 million accounts, says many banks won't accept data in encrypted form.
I'll leave you with this: Celent recently put together a report suggesting what a "model bank" in 2009 would look like. It discussed some model banks in eight areas, the likes of product development and loan processing. Security and risk management was also a concern. But no model bank practices were selected. "While Celent received numerous submissions in the security and risk management category, none of them were compelling enough for inclusion."
And that says a lot. - Jim
SHARE WITH:
Comments
By Alessandro Machi | Posted 1:57pm | June 19, 2009
I am impressed that a Chase Bank representative bothered to respond. I wonder if that person will get to keep their job.
By Deborah C. Peel, MD | Posted 2:36am | June 20, 2009
Fascinating----meanwhile lobbyists for health technology vendors and health data mining industries brag to Congress about how effective banks and finacial institutions are at electronic data transfer and protection of personal information.
Clearly, despite spending far more per employee on IT/year than the healthcare sector, banks and financial institutions ARE NOT providing anything close to the kind of ironclad privacy and security measures needed to protect financial data.
Deborah C. Peel, MD
Founder and Chair, Patient Privacy Rights
By Ken Wagner | Posted 9:08am | June 23, 2009
It's interseting to still hear the same stories over and over again. Approximately 25 years ago I was attending a security seminar where a company was soliciting for encryption techniques for banks and other financial institutions. Attending were some well known representatives of large banks, who scoffed at the thought that their data could be intercepted or tampered with.
At lunch time, the instructor went to Radio Shack, and purchased about $900 of equipment (computers were quite expensive then) and set up a display for all to watch upon our return. He demonstrated by dialing in to one of the large banks and intercepted data streams of large monetary transactions. The banker reps were astounded and very concerned, to say the least. They all vowed to establish protocols to protect their data. Yet very little has changed todate.
Many institutions do NOT want to implement anything that impedes performance or requires additional overhead and costs them money. They are willing to take the risk of disclosures and pay for them later. The mighty 'bottom line' of risks vs. costs still rules today, disregarding what this does to you and me when breaches occur.
I believe that things will NOT change until it becomes cost effective for institutions to enact these necessary changes.
By themerchantmaven | Posted 10:38am | June 24, 2009
Thanks for your article. You are correct that PCI Comliance is indeed an area that needs more attention than ever. Institutions MUST wake up and smell the Colombian coffee! It's here to stay, it's a major threat.....and regardless what company you use.....this trend will not dissappear.
Create an Alliance with Compliance!
By Anonymous | Posted 10:00pm | November 19, 2009
Many institutions do NOT want to implement anything that impedes performance or requires additional overhead and costs them money. They are willing to take the risk of disclosures and pay for them later.
Post new comment
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site MapTHE FIERCEMARKETS NETWORKFierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceVoIP | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2010 FierceMarkets. All rights reserved. |
 |