Sponsored By

PCI Data Security Standard: Weakest Link

The Payment Card Industry Data Security Standard, meant to help protect consumers' credit and debit card information at retail, has a few flaws of its own, some observers said. Dave Hogan, chief information officer for the National Retail Federation, Washington, said he considers the weak link to be the PCI standard itself, because it is difficult to follow and interpret. Retailers, he added, should

Michael Garry

December 1, 2008

1 Min Read
Supermarket News logo in a gray background | Supermarket News

MICHAEL GARRY

The Payment Card Industry Data Security Standard, meant to help protect consumers' credit and debit card information at retail, has a few flaws of its own, some observers said.

Dave Hogan, chief information officer for the National Retail Federation, Washington, said he considers “the weak link to be the PCI standard itself, because it is difficult to follow and interpret.” Retailers, he added, should be allowed to “not store card data at all and not get penalized for it.” Currently, retailers may need to consult card data to prove that a transaction took place in a dispute, but Hogan argued that an authorization code would be sufficient.

Another apparent weakness in the PCI standard concerns the encryption of card data as it is “in transit” to banks or processors for authorization and settlement. Under current rules, whatever safeguards may be in place at the retailer, the data must be unencrypted when it reaches the bank or processor so that it can be readily processed, said Tony van Seventer, vice president of marketing and products at Store Next Retail Technologies, Plano, Texas, a provider of retail technology. This was the very loophole that criminals exploited in the breach at Hannaford Bros., Scarborough, Maine, earlier this year.

Thus, while PCI remains the de facto industry standard when it comes to payment card security, many believe that it does not go far enough. Hannaford, for example, has invested heavily in security enhancements that go well beyond PCI requirements.

“The PCI security standards are a minimum requirement,” said Thomas Murphy, president, Peak Tech Consulting, Colorado Springs. “Being compliant here has not necessarily led to the kind of complete security you would want as a CIO.”

Stay up-to-date on the latest food retail news and trends
Subscribe to free eNewsletters from Supermarket News

You May Also Like