At a hearing yesterday, the House Homeland Cybersecurity Subcommittee took aim at what members called "ineffective" PCI standards. Every member that made an opening statement criticized the PCI standards as outdated, slow to update, and ineffective.
The Department of Justice's representative stopped short of calling for federal rules to supplement or supplant the PCI standards, instead focusing on requiring companies that have discovered a breach to report that breach immediately to federal law enforcement officials.
The most heated discussion came when a panel of industry experts testified. Representatives from PCI, Visa (Fraud Control and Investigations), the National Retail Federation, and the CIO of Michael's Stores gave conflicting views of the effectiveness of the PCI standards as well as how those standards operated. Representatives from Visa and PCI maintained that they had never discovered a breach occurring at an entity that was in full compliance with the PCI standards at the time of the breach. The merchant representatives countered saying that the PCI standards were vague, subjective, complex, costly and difficult to implement.
Following questioning from members of the subcommittee, it became clear that the two groups disagreed on whether merchants were required to retain card numbers in order to process "chargebacks." The retailers claimed that they were, while Visa stated there was no such requirement. When challenged by the National Retail Federation representative to state on the record that merchants would not be fined for failing to store credit card numbers, PCI and Visa were silent.
The two groups also disagreed as to whether end to end encryption was desirable, and what efforts the card industry was making to implement chip-and-PIN technology, similar to that being rolled out in the EU. The PCI representative said that such proposals were being considered, and that as it stood now, end-to-end encryption was unnecessary because full compliance with the PCI standards is effective to stop breaches without adding the cost of encryption. The merchant representatives stated that encryption is required until it is "inconvenient" to the issuing banks, and implied that the issuing banks and the card issuers were behind the delay in implementation.
In light of those disagreements, Chairwoman Clarke expressed great concern that the parties could not agree about what the PCI standards required and stated that the stored data requirements must be fixed.