Banks and credit card security, where's the outrage?

The PCI-DSS, the ungainly acronym for payment card industry data security standards, has been roundly criticized as of late by government officials and industry executives. The Associated Press piles on with an investigation that has concluded that "the banks and other companies that handle your information are not being nearly as cautious as they could."  

The article notes data from Privacy Rights Clearinghouse that more than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers. The failure of the PCI-DSS standard--many of the breached firms were in compliance--has been big news for a while now. Visa certainly has its work cut out for it as it aims to upgrade the standard.

The AP takes a look at the big "acquiring banks," as well--"the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant." The reporter attempted to discuss the issue with eight of these banks; most didn't return calls or wouldn't comment for this story.

One who did respond was Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase. He said "his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or email." Which on its face seems wholly inadequate.

It would seem that the big banks need to step up their game. An obvious starting point would be to better enforce PCI compliance, even if that means setting up new units. 

New technology might also be part of the solution. The AP suggests "a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere--to places like the U.S. that don't have as many safeguards."

Banks might also think about encryption; you may be surprised to learn that sensitive data is not yet encrypted. Which allows criminals to capture "more data as it makes its way from store to bank, when breaches are harder to stop," explains the article. TJX Cos., which was victimized by a breach that exposed as many as 100 million accounts, says many banks won't accept data in encrypted form.

I'll leave you with this: Celent recently put together a report suggesting what a "model bank" in 2009 would look like. It discussed some model banks in eight areas, the likes of product development and loan processing. Security and risk management was also a concern. But no model bank practices were selected. "While Celent received numerous submissions in the security and risk management category, none of them were compelling enough for inclusion."

And that says a lot. - Jim