Banks Claim Share of Credit Card Security Costs Is Unfair

Banks Claim Share of Credit Card Security Costs Is Unfair
Banks Claim Share of Credit Card Security Costs Is Unfair 

By Brian Fonseca
June 25, 2007 

LAS VEGAS -- A panel of financial services and retail executives this 
month disagreed on which side bears the brunt of the burden to ensure 
compliance with the Payment Card Industry (PCI) Data Security Standard.

Executives from JPMorgan Chase & Co. and First Horizon National Corp. 
told an audience at Symantec Corp's Vision user conference here that 
high-profile data breaches at retailers like The TJX Companies Inc. are 
not originating from their side of the fence -- yet they must spend 
significant sums to make sure such incidents dont happen.

The TJX incident was not a JPMorgan [data breach]; it wasnt at First 
Horizon or Citigroup. It was at a merchant. And yet all the plans to 
remediate that have been with the banks, said Christopher Leach, senior 
vice president and chief information security officer at Memphis-based 
First Horizon.

Framingham, Mass.-based TJX disclosed early this year that more than 45 
million credit and debit card numbers were stolen from two of its IT 
systems over an 18-month period.

An AT&T Inc. executive, on the other hand, contended that banks have so 
far done little to share in the burden of ensuring credit and debit card 
security compared with businesses that accept such payments.

The PCI standards were created by five credit card companies  Visa 
International Inc., MasterCard International Inc., American Express Co., 
Discover Financial Services LLC and JCB Co.  to protect credit card data 
before, during and after transactions.

First Horizon, which operates in 43 states and claims $5 billion in 
annual revenue, is currently going through a costly new round of PCI 
certification efforts  or, as Leach put it, trying to build that 
airplane as we build the runway.

"We've discovered that PCI keeps changing, Leach said. We went down the 
path to be certified at one point and did a great deal of due diligence 
only to find out some of the requirements would change. One Visa analyst 
would say one thing, and another Visa analyst would say something very 

Brian Glowacki, vice president and lead architect for global storage 
technology at JPMorgan in New York, agreed that banks are bearing an 
unfair security burden compared with merchants.

Vanessa Pegueros, director of compliance services at AT&T, contended 
that banks are thumbing their noses at the PCI regulation, so we are 
paying the price.

"We were doing a good job -- maybe not as fast as some would like, but 
we were on a plan and trying to meet the [PCI] requirements, Pegueros 
said. But [Visa is] trying to take a hard-line approach, and were caught 
in the middle. Now we have to adjust our plans."

Gartner Inc. analyst Avivah Litan agreed that banks are not yet taking 
adequate measures to comply with the PCI standards.

There has not been a lot of enforcement at the bank level, she said. All 
the enforcement scheduled has been on the processing and retailer side, 
so it has been unfair, frankly.

Litan said retailers are upset because they believe that they are being 
held to a higher standard than banks in securing their systems.

Bob Russo, general manager of the PCI Security Standards Council in 
Wakefield, Mass., said that both sides should work together to ensure 
that the cards are secure.

This should not be a blame game, he said. The bottom line is, everyone 
who touches consumer payment card data has a responsibility to secure 

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods