PCI standard going apart at the seams

The PCI standard, that has been one of the private sector's strongest attempts to regulate itself on IT security, is criticized claiming not to do enough to protect credit and debit card data. And PCI’s chief proponent Visa Inc. is working one-on-one with banks and retailers to test new security measures that would go beyond the controls offered by PCI.

The PCI rules, created by Visa and other credit card companies, will have been in effect for four years as of June 30. However, now the future of the specification, which is formally known as the Payment Card Industry Data Security Standard, or PCI DSS, is uncertain. As the number of credit cards data breaches is growing rapidly, the amount of questions about the standard's effectiveness is rising, PCI DSS is showing signs of coming apart at the seams.

Actually, criticism of the standard isn't new. But since the recent disclosures of breaches by payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc., PCI DSS has been hit with some of its most forceful denunciations thus far.

At a March 31 hearing held in the U.S. House, Representative Yvette Clarke stated that PCI DSS isn't sufficient for protecting cardholder data. She also mentioned the data breach disclosed early last year by the grocery store chain Hannaford Bros. Co., that was certified as PCI-compliant by a third-party assessor in February 2008.

RBS WorldPay and Heartland obtained PCI certifications last year prior to the breaches that they disclosed in December and January, respectively. Visa dropped the two companies from its list of PCI-compliant service providers last month and is requiring them to be recertified, although it has said retailers can continue to do business with them in the meantime.