Atlanta Fed staffer questions value of PCI guidelines

Atlanta Fed staffer questions value of PCI guidelines

The US payments industry should reconsider the value of PCI compliance guidance in the light of increasingly sophisticated skimming attacks and instead consider mitigating risk by moving to chip and PIN, according to a Federal Reserve Bank of Atlanta staffer.

In a post on the Atlanta Fed's Portals and Rail blog, Cindy Merritt, assistant director of the retail payments risk forum, calls into question the value of Payment Card Industry (PCI) data security council guidelines in a mag-stripe country.

Merritt says the number of card data breaches in the States continues to rise, highlighting the recent problems at retailer Michaels, where around 90 of its PIN pads around the country have been tampered with, leaving customer card details at risk.

Although the PCI council has developed guidelines for retailers like Michaels to protect card readers against skimming, these are often necessary precisely because cards are mag-stripe instead of the more secure chip-and-pin technology used in other countries.

Says Merritt: "As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective - a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology."

She acknowledges that a US migration to EMV would be difficult and expensive because of the large number of card, networks, issuers and merchants involved. However, with so many countries, including most of Europe and Canada, making the switch, crooks are expected to concentrate on the US, pushing up skimming-related losses.

Merritt's concerns echo those of her colleague Richard Oliver, who last year also used the Portals and Rail blog to warn that the US is being left isolated by its reliance on mag-stripe cards while the rest of the world moves to the more secure chip.

Momentum does appear to be building for chip and PIN migration, with retailers, led by giant Wal-Mart, calling for its introduction and the US Department of Defence considering adding EMV-compliant pre-paid payment capabilities to its ID card for military personnel and staff.

Comments: (2)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 02 June, 2011, 10:11Be the first to give this comment the thumbs up 0 likes

Can the regulators or someone else clarify whether Michaels (and SONY PlayStation Network, for that matter) didn't get PCI-DSS right, or, despite getting it right, couldn't prevent the identity theft they recently suffered? While EMV seems to be the low-hanging fruit, heaping new compliance requirements on top of existing ones might not work. The popularity of Mint, OfferMatic, BillGuard and other services that directly access the customer's bank account on the basis of a simple username and password suggests that two factor authentication solutions haven't been implemented by many banks so many years after it was mandated by FFIEC.   

Nick Collin
Nick Collin - Collin Consulting Ltd - London 05 June, 2011, 13:39Be the first to give this comment the thumbs up 0 likes

Finally, the US is beginning to understand that rather than try and protect a "secret" (the card details) which is not really secret at all (the PAN is, after all, embossed on the front of every card!) it makes more sense to use Chip and PIN to render the information useless to fraudsters.

I predict nothing can stop full US migration to EMV now.