By Brian Fonseca
June 25, 2007
LAS VEGAS -- A panel of financial services and retail executives this
month disagreed on which side bears the brunt of the burden to ensure
compliance with the Payment Card Industry (PCI) Data Security Standard.
Executives from JPMorgan Chase & Co. and First Horizon National Corp.
told an audience at Symantec Corp's Vision user conference here that
high-profile data breaches at retailers like The TJX Companies Inc. are
not originating from their side of the fence -- yet they must spend
significant sums to make sure such incidents dont happen.
The TJX incident was not a JPMorgan [data breach]; it wasnt at First
Horizon or Citigroup. It was at a merchant. And yet all the plans to
remediate that have been with the banks, said Christopher Leach, senior
vice president and chief information security officer at Memphis-based
Framingham, Mass.-based TJX disclosed early this year that more than 45
million credit and debit card numbers were stolen from two of its IT
systems over an 18-month period.
An AT&T Inc. executive, on the other hand, contended that banks have so
far done little to share in the burden of ensuring credit and debit card
security compared with businesses that accept such payments.
The PCI standards were created by five credit card companies Visa
International Inc., MasterCard International Inc., American Express Co.,
Discover Financial Services LLC and JCB Co. to protect credit card data
before, during and after transactions.
First Horizon, which operates in 43 states and claims $5 billion in
annual revenue, is currently going through a costly new round of PCI
certification efforts or, as Leach put it, trying to build that
airplane as we build the runway.
"We've discovered that PCI keeps changing, Leach said. We went down the
path to be certified at one point and did a great deal of due diligence
only to find out some of the requirements would change. One Visa analyst
would say one thing, and another Visa analyst would say something very
Brian Glowacki, vice president and lead architect for global storage
technology at JPMorgan in New York, agreed that banks are bearing an
unfair security burden compared with merchants.
Vanessa Pegueros, director of compliance services at AT&T, contended
that banks are thumbing their noses at the PCI regulation, so we are
paying the price.
"We were doing a good job -- maybe not as fast as some would like, but
we were on a plan and trying to meet the [PCI] requirements, Pegueros
said. But [Visa is] trying to take a hard-line approach, and were caught
in the middle. Now we have to adjust our plans."
Gartner Inc. analyst Avivah Litan agreed that banks are not yet taking
adequate measures to comply with the PCI standards.
There has not been a lot of enforcement at the bank level, she said. All
the enforcement scheduled has been on the processing and retailer side,
so it has been unfair, frankly.
Litan said retailers are upset because they believe that they are being
held to a higher standard than banks in securing their systems.
Bob Russo, general manager of the PCI Security Standards Council in
Wakefield, Mass., said that both sides should work together to ensure
that the cards are secure.
This should not be a blame game, he said. The bottom line is, everyone
who touches consumer payment card data has a responsibility to secure
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com