Retailers face 12 core requirements, the first of which is to install and maintain a firewall to protect cardholder data. One of the most challenging rules for retailers is No. 10, Simonetti said, which requires merchants to track and monitor all access to network resources and cardholder data, typically with system activity logs.
Simonetti noted that while card networks such as Visa publish lists on their websites of PCI compliant payment service providers (card processing banks, for instance), no such lists exist for retailers. A public listing of PCI-compliant companies “would probably help,” he said.
Simonetti said he thinks the security standards are reducing data security breaches, though not preventing them.
“All the companies that have been breached, even the ones who claimed to be compliant, were not compliant at the time of the breach,” Simonetti said. “That’s what we’ve seen over the last five years.”
Jennifer Fischer, head of security operations, policies and standards for Visa Inc., took issue with Verizon’s report. In an interview she said Visa’s own research shows a high level of compliance among the 440 largest merchants with which it works — those who process more than 6 million Visa transactions a year. Of those, 96 percent were compliant at the their last audit, she said.
Visa does post generic compliance rates on its website, albeit in a very cryptic fashion. It doesn’t list merchant results by name because that would impede their cooperation, Fischer said.
“We want to encourage merchants to be forthcoming about their security posture,” she said. “We want to maintain that trust relationship so that we can be notified in the event that there is an issue.”
Fischer said that the rate of fraud in the U.S. payment system is stable and near historic lows. At Visa, it’s about 6 cents for every $100 spent on Visa cards, for a rate of about 0.06 percent.
Richard Sullivan, head of payments research at the Federal Reserve Bank of Kansas City, estimates the general fraud rate is 9 cents per $100.
Fischer attributes the relatively low rates to better fraud-fighting tools. The PCI standards, while not perfect, “have effectively raised the bar when it comes to security,” she said.
John Kindervag, vice president and principal analyst at Cambridge, Mass.-based Forrester Research, agrees. As he sees it, the retailers brought the PCI standards on themselves by being sloppy with payment card security in the name of ringing up purchases fast. Merchant security practices are “horrific,” Kindervag said. “PCI has done really a marvelous job of reducing the number of credit card breaches.”
Supporters of greater federal oversight, such as Sen. Al Franken, D.-Minn., counter that the U.S. has less than a quarter of the world’s card transactions, but roughly half the fraud, and that Target was hacked just two months after passing a private industry cybersecurity review.
An analysis by the FICO credit consultancy showed that incidents of fraud on U.S.-issued credit cards rose 17 percent from the beginning of 2011 to late 2012, although the average dollar loss per account fell.
All the while, consumers remain mostly in the dark about the companies to whom they entrust their credit and debit card data and personal information.
“I’m not aware of anything that requires industry to disclose punishment or fines to consumers,” said Nessa Feddis, deputy chief counsel for consumer protection at the American Bankers Association.
Consumer advocates argue that this is why federal standards for reporting and explaining cybertheft are needed.
“Consumers are frustrated and disconcerted about what’s going on,” said Delara Derakhshani, policy counsel at Consumers Union. “We are always in favor of more disclosure.”
Franken and fellow Democratic Sen. Amy Klobuchar of Minnesota back a bill by Sen. Patrick Leahy, D-Vt., that would allow the Federal Trade Commission to set national cybersecurity standards and assess civil penalties against companies that don’t meet them.