Last week an Associated Press investigation revealed that the companies that handle your credit card data, including banks and major retail outlets, are not as secure with your information as they could be.

Scores of retailers and payment processors have disclosed data breaches in the past few years. This year Heartland Payment Systems suffered perhaps the largest data breach ever—hundreds of millions of transaction records were comprised, and millions of people had their account information stolen.  The hack that hit Heartland also compromised perhaps 300 other companies—only the others never disclosed the problem.

As with Heartland, even companies with the industry’s top computer security rating, known as Payment Card Industry (PCI) compliance, have been the victims of major breaches.

Credit card companies and the payment processors who work with them are left by the government to develop their own industry security rules. These PCI standards require stores that initiate credit card transactions must use antivirus software and have firewalls installed. However, hacker simulations are run just once a year and these businesses are allowed to define the scope of the tests and run the tests themselves. As Ariel Silverstone, the CISO of Temple University, has aptly said, “Who can fail an audit when one of its tenets when one of its tenets is that the audited organization gets to define its scope?” Those merchants who decide to hire outside security auditors to check for compliance frequently carry this out the cheapest way possible.  It is no surprise that the AP describes these rules as “cursory at best and meaningless at worst.”
Moreover, some companies that handle your sensitive financial information aren’t even PCI compliant. They are forced to pay fines but are left free to process your credit and debit card payments.

Suffice to say, your credit and debit information is at serious risk.

What is surprising is that there has been little effort until late to do something about this serious problem.  The lack of network security has been the dirty little secret of the processor industry. The payment industry is built on efficiency and the industry has feared that adding security would slow the process down.   With the entire payments industry worried about speed, and all being equally insecure, better to not talk about this problem at all.  Surprisingly, the credit card providers have not been pushing for greater security.  Instead they have been content to operate across inherently insecure networks notwithstanding the billions of dollars at risk.  Breaches and the frauds that follow have been chalked up to the cost of doing business.   Besides, these companies don’t have to go through the hassle an individual consumer endures when his or her financial data has been compromised.
Tougher compliance standards, PCI or other, are needed. Financial systems, including payment IT systems, should deploy only the best available technologies end-to-end.  Merchant’s computer networks must be secure in the handling sensitive financial information. Processors need to ensure that even if a retailer is hacked, the critical private financial data on their systems are protected.  Consumers should be immediately informed of the possibility that their information has been compromised.  The list of necessary improvements is long and substantial.

This entry was posted on Friday, June 26th, 2009 at 9:18 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.