The Payment Card Industry Data Security Standard, meant to help protect consumers' credit and debit card information at retail, has a few flaws of its own, some observers said.
Dave Hogan, chief information officer for the National Retail Federation, Washington, said he considers “the weak link to be the PCI standard itself, because it is difficult to follow and interpret.” Retailers, he added, should be allowed to “not store card data at all and not get penalized for it.” Currently, retailers may need to consult card data to prove that a transaction took place in a dispute, but Hogan argued that an authorization code would be sufficient.
Another apparent weakness in the PCI standard concerns the encryption of card data as it is “in transit” to banks or processors for authorization and settlement. Under current rules, whatever safeguards may be in place at the retailer, the data must be unencrypted when it reaches the bank or processor so that it can be readily processed, said Tony van Seventer, vice president of marketing and products at Store Next Retail Technologies, Plano, Texas, a provider of retail technology. This was the very loophole that criminals exploited in the breach at Hannaford Bros., Scarborough, Maine, earlier this year.
Thus, while PCI remains the de facto industry standard when it comes to payment card security, many believe that it does not go far enough. Hannaford, for example, has invested heavily in security enhancements that go well beyond PCI requirements.
“The PCI security standards are a minimum requirement,” said Thomas Murphy, president, Peak Tech Consulting, Colorado Springs. “Being compliant here has not necessarily led to the kind of complete security you would want as a CIO.”