A panel of financial services and retail executives last month disagreed on which side bears the brunt of the burden to ensure compliance with the Payment Card Industry (PCI) data security standard.
Executives from JPMorgan Chase and First Horizon National told an audience at Symantec’s Vision user conference in Las Vegas that high-profile data breaches at retailers such as The TJX Companies are not originating from their side of the fence — yet they must spend significant sums to make sure such incidents don’t happen.
The TJX incident “was not a JPMorgan [data breach]; it wasn’t at First Horizon or Citigroup. It was at a merchant. And yet all the plans to remediate that have been with the banks,” said Christopher Leach, senior vice president and chief information security officer at Memphis-based First Horizon.
Massachusetts-based TJX disclosed early this year that more than 45 million credit and debit card numbers were stolen from two of its IT systems over an 18-month period.
An AT&T executive, on the other hand, contended that banks have so far done little to share in the burden of ensuring credit and debit card security compared with businesses that accept such payments.
The PCI standards were created by five credit card companies — Visa, MasterCard, American Express, Discover Financial Services and JCB — to protect credit card data before, during and after transactions.
First Horizon, which operates in 43 states and claims US$5 billion (NZ$6.5 billion) in annual revenue, is currently going through a costly new round of PCI certification efforts — or, as Leach put it, “trying to build that airplane as we build the runway”.
“We’ve discovered that PCI keeps changing,” Leach said. “We went down the path to be certified at one point and did a great deal of due diligence only to find out some of the requirements would change. One Visa analyst would say one thing, and another Visa analyst would say something very contradictory.”
Brian Glowacki, vice president and lead architect for global storage technology at JPMorgan in New York, agreed that banks are bearing an unfair security burden compared with merchants.
Vanessa Pegueros, director of compliance services at AT&T, contended, however, that banks are “thumbing their noses at the PCI regulation, so we are paying the price.”
“We were doing a good job — maybe not as fast as some would like, but we were on a plan and trying to meet the [PCI] requirements,” Pegueros said. “But [Visa is] trying to take a hard-line approach, and we’re caught in the middle. Now we have to adjust our plans.”
Gartner analyst Avivah Litan agreed that banks are not yet taking adequate measures to comply with the standards.
“There has not been a lot of enforcement at the bank level,” she said. “All the enforcement scheduled has been on the processing and retailer side, so it has been unfair, frankly.”
Litan said retailers are upset because they believe that they are being held to a higher standard than banks in securing their systems.
Bob Russo, general manager of the PCI Security Standards Council in Massachusetts, said that both sides should work together to ensure that the cards are secure.
“This should not be a blame game,” he said. “The bottom line is, everyone who touches consumer payment card data has a responsibility to secure it.”