An article relating to this blog post on Finextra:
Atlanta Fed staffer questions value of PCI guidelines
The US payments industry should reconsider the value of PCI compliance guidance in the light of increasingly sophisticated skimming attacks and instead consider mitigating risk by moving to chip and P...
The Atlanta Federal Reserve's Cindy Merritt -- assistant director of the Retail Payments Risk Forum -- offers a refreshing, plain talking critique of the PCI-DSS regime. She goes to the heart of the matter; the rewards for organised crime are simply so vast
that a process and audit based security regime like PCI-DSS doesn't stand a chance. PCI (like policy based security generally) mitigates against accidental loss or amateur attack, but it is nearly useless against concerted sophisticated attacks or inside jobs.
While stakeholder in the US struggle with the business case for EMV, it may help to look a little beyond EMV, because on its own, it still leaves the system open to Card Not Present fraud. The experience worldwide is that organised crime in each market turns
to CNP when their skimming methods are throttled by the introduction of chip.
If deployed artfully, chip cards from the EMV system can also thwart CNP attack by introducing strong asymmentric cryptography (digital signing) to Internet transactions.
While the US bricks-and-mortar retail environment faces major switching costs, and they make take years to upgrade their termianl equipment, e-tailers have a wonderful opportunity to foster the use of chip cards to secure payment data in online shopping,
for the price of a smartcard reader for each customer.