This is page 2 of:
I Wonder If My Card Issuer Has A ROC?
PCI Requirement 4.2 says not to send an unencrypted PAN “via end-user messaging technologies.” Unfortunately, many issuers ignore this requirement, too.
I have clients who receive E-mails and faxes from issuers (and acquirers, too!) with clear-text PANs as part of the dispute resolution process. Many issuers transmit bulk PANs as part of their purchasing card and corporate travel card reporting. The recipients tell me they are frustrated because Requirement 4.2 binds them, but the issuer seems to be able to ignore PCI while potentially expanding the recipient’s PCI scope. This sense of unfairness carries over and informs their view of PCI in general, and that is unfortunate.
A second reason issuers should validate their PCI compliance is because it may not be that hard. Issuers already have some very serious security requirements that go a long way toward meeting or exceeding what is required by PCI. My guess is that they could validate without too much bother. Some cost would be necessary to re-format cardholder statements. Plus, meeting Requirement 7 (restricting access to cardholder data based on business need-to-know) will mean additional documentation, given the number of people involved in resolving disputes and questions. Similarly, issuers would need to pass vulnerability scans and penetration tests (Requirement 11).
Possibly the biggest challenge will be with the issuers’ Web sites. As a cardholder, I want to know that my issuer complies at least with Requirements 6.5 and 6.6, so my information is protected. Seeing the little lock in the corner of my browser is nice, but I really would feel better knowing the Web site was both developed securely and protected by either a code review or a Web-application firewall.
Lastly, issuers should have a ROC because, well, it is the right thing to do. I don’t see any headlines about card issuers being hacked or suffering a data breach. Nevertheless, it seems only fair that if issuers demand PCI compliance from retailers, they should follow the same practices. The best leaders I know all lead by example.
Sometimes I find myself wishing PCI were more like an exercise class. In an aerobics or spinning class, the instructor asks you to do some difficult things. But she is right there doing the same exercises with you. Wouldn’t it be great if the card issuers who developed PCI-DSS also went through the same exercise and validated themselves as compliant just like retailers have to do?
This simple act would add more credibility to the Standards and the PCI Council than any fine, penalty or press release I can imagine. Even a self-assessment would be a positive step. And as a compliant issuer, they may even gain a competitive advantage by demonstrating to their cardholders that they value the relationship and will do everything to protect their cardholders’ financial information.
What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
August 12th, 2010 at 10:43 am
Cardholder numbers belong to the issuer, not the cardholder. The issuer makes a diecison to grants revolving credit tot he cardholder and issues an account number and a card. Both the account numebr and the card remain issuer’s pro[perty and must be surrendered or destroyed by the cardholder upon issuer’s demand.