This is page 2 of:

I Wonder If My Card Issuer Has A ROC?

August 11th, 2010

PCI Requirement 4.2 says not to send an unencrypted PAN “via end-user messaging technologies.” Unfortunately, many issuers ignore this requirement, too.

I have clients who receive E-mails and faxes from issuers (and acquirers, too!) with clear-text PANs as part of the dispute resolution process. Many issuers transmit bulk PANs as part of their purchasing card and corporate travel card reporting. The recipients tell me they are frustrated because Requirement 4.2 binds them, but the issuer seems to be able to ignore PCI while potentially expanding the recipient’s PCI scope. This sense of unfairness carries over and informs their view of PCI in general, and that is unfortunate.

A second reason issuers should validate their PCI compliance is because it may not be that hard. Issuers already have some very serious security requirements that go a long way toward meeting or exceeding what is required by PCI. My guess is that they could validate without too much bother. Some cost would be necessary to re-format cardholder statements. Plus, meeting Requirement 7 (restricting access to cardholder data based on business need-to-know) will mean additional documentation, given the number of people involved in resolving disputes and questions. Similarly, issuers would need to pass vulnerability scans and penetration tests (Requirement 11).

Possibly the biggest challenge will be with the issuers’ Web sites. As a cardholder, I want to know that my issuer complies at least with Requirements 6.5 and 6.6, so my information is protected. Seeing the little lock in the corner of my browser is nice, but I really would feel better knowing the Web site was both developed securely and protected by either a code review or a Web-application firewall.

Lastly, issuers should have a ROC because, well, it is the right thing to do. I don’t see any headlines about card issuers being hacked or suffering a data breach. Nevertheless, it seems only fair that if issuers demand PCI compliance from retailers, they should follow the same practices. The best leaders I know all lead by example.

Sometimes I find myself wishing PCI were more like an exercise class. In an aerobics or spinning class, the instructor asks you to do some difficult things. But she is right there doing the same exercises with you. Wouldn’t it be great if the card issuers who developed PCI-DSS also went through the same exercise and validated themselves as compliant just like retailers have to do?

This simple act would add more credibility to the Standards and the PCI Council than any fine, penalty or press release I can imagine. Even a self-assessment would be a positive step. And as a compliant issuer, they may even gain a competitive advantage by demonstrating to their cardholders that they value the relationship and will do everything to protect their cardholders’ financial information.

What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at


One Comment | Read I Wonder If My Card Issuer Has A ROC?

  1. DMCAMSP Says:

    Cardholder numbers belong to the issuer, not the cardholder. The issuer makes a diecison to grants revolving credit tot he cardholder and issues an account number and a card. Both the account numebr and the card remain issuer’s pro[perty and must be surrendered or destroyed by the cardholder upon issuer’s demand.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.