The private sector polices itself for poor performance or neglect, leaving customers in the dark about how their credit data was stolen.
American Express, Discover, MasterCard and Visa credit cards are displayed for a photograph in New York, U.S., on Tuesday, May 18, 2010. Credit-card firms caught off-guard by U.S. Senate passage of curbs on debit fees are facing what one executive sees as a "volcanic" eruption of legislation, including possible limits on interest rates. Photographer: Daniel Acker/Bloomberg
Sometime around Christmas, Megan Ney learned from her bank that someone else had successfully applied for a debit card in her name.
A few days later, she heard from Target Corp. that her debit card information had been stolen in a data breach. Ney believes the two episodes are related, though her bank and Target say they can’t tell her for sure.
Ney, a 29-year-old oil and gas company accountant from Tulsa, shops less at Target now and often only with cash because she’s still nervous about the data breach. She wants to know if Target failed to meet payment security standards and how it will be sanctioned if it was at fault.
“If I’m going to continue to be shopping there,” Ney said, “I want to know that my identity and my banking information are protected.”
But even as cyberthreats grow in frequency and sophistication, the system for ensuring payment card security in the United States remains a closely guarded arrangement among the credit card networks who set it up, the banks who process payments for merchants and the merchants themselves.
No regulator ensures that companies meet minimum requirements for protecting data. No public database tells consumers which companies lost customer information through poor performance or neglect, or when and how much they were fined. Banks and credit card companies determine fault on a case-by-case basis through private contracts with individual merchants. Fines and the reasons for them remain sealed.
“It’s this mafia monopoly. It really is,” said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research. “It’s a highly flawed process.”
The Payment Card Industry (PCI) Security Standards Council, which sets the standards for protecting card information, was created by the world’s five major card brands — Visa, Discover, MasterCard, American Express and JCB (Japan) — nearly eight years ago. Run by the card networks, the council doesn’t collect information on compliance. It sets standards.
Enforcement lies with the individual card networks. Generally, when a merchant is out of compliance, the card companies fine the bank that processes the merchants’ card transactions; the bank in turn fines the merchant. (American Express works directly with merchants, Litan said.) In the past, fines have ranged from $3,000-$5,000 a month per merchant, escalating to as much as $100,000 a month after six months of noncompliance, Litan said. In the event of a breach, there can be more fines.
Major retailers such as Target undergo private audits annually by one of hundreds of companies that perform them. Target’s chief financial officer testified in a hearing earlier this month that Target was found PCI compliant on Sept. 20, about two months before thieves began hoovering up card data from its cash registers via malware.
A former Target employee with knowledge of the process told the Star Tribune that the company has a team of employees dedicated to PCI compliance, recently about five people, and that Target “is absolutely obsessed with achieving PCI compliance.”
“The idea that Target would be found noncompliant … is literally mortifying to senior leaders,” the person said. “This is precisely what keeps Target leaders awake at night.”
The former employee said it is possible that Target was in compliance in September but that configuration changes were made afterward that might have unknowingly thrown it out of compliance. Configuration changes are constant, the person said.
Through a spokeswoman the company declined to comment on PCI matters, citing the ongoing investigations.
Target’s vast breach has stoked questions about the effectiveness of the PCI system. By at least one measure, compliance is a problem.
Only one in 10 comply
Globally, just one in 10 organizations fully comply with the PCI standards, according to Verizon’s latest PCI Compliance Report on Feb. 11. But Verizon can only report on its own clients, and it works mainly with large and international organizations. The 11 percent full compliance rate that Verizon documented likely would be even lower if it covered small and midsize organizations, said Rodolphe Simonetti, head of Verizon’s PCI practice.
In an interview, Simonetti called the 11 percent full compliance a “huge improvement” from 2012 but said “it should be better than that.” He blamed low compliance on the difficulty of some of the requirements, and the fact that the standards are young and still gaining acceptance.