PCI: The Toothless Security Effort

Written by Evan Schuman
March 2nd, 2007

MasterCard’s confirmation this week that TJX had not complied with PCI rules at the time of its huge data breach is setting up yawns throughout retail. Nowhere is there better evidence of the lackluster way PCI is trying to improve retail security.

Earlier this week, MasterCard officially (well, sort of officially) confirmed that retail chain TJX was not in compliance with PCI rules at the time of the $16 billion retailer’s infamous January disclosure of a massive data breach.

The significance of this news is not the fact that TJX was not complying with the rules themselves. As former federal prosecutor Mark Rasch said: “It’s hardly surprising that they weren’t PCI-compliant. That’s from the Department of Obviousness.”

Nor is it newsworthy that MasterCard opted to confirm the chain’s PCI-less state, although it is interesting. It might be a hint of the level of anger that many in the industry feel about the way TJX has been handling their crisis, coupled with a generous dose of CYA. In any other situation, it’s truly hard to envision the normally media-shy MasterCard going out of its way to publicly confirm that a retailer was not compliant. Officially, it merely confirmed that TJX’s U.S. credit card transaction processor (technically: acquirer)?Cincinnati, Ohio-based Fifth Third Processing Solutions?had reported to MasterCard was TJX wasn’t PCI compliant.

No, the true newsworthy aspect of this news is how it illustrates the irrelevance of PCI today, when it comes to retail security. To say that PCI has achieved a toothless reputation today is being generous. It’s akin to those homepage declarations that a site has been certified as safe. It only provides comfort to those who don’t think about it very much. PCI has become a Santa Claus entity: it only works for those who really want to believe and who are willing to conveniently ignore any facts that disprove it.

PCI certainly doesn’t have to be toothless. It has provisions for serious financial penalties and for even banning a merchant from accepting credit and/or debit cards. But for it to taken seriously, the credit card industry and retail industry must undergo a radical attitude conversion. Is MasterCard’s comments the first indication of someone trying? A tentative, toe-in-the-water half-hearted try perhaps, but a try nonetheless.

The industry must not only use those fines and penalties but they must do so publicly. Very publicly. We’re talking about a news conference every time a fine is issued and they need to be issued every week. Those announcements must be explicit and specific, detailing for the world what the retailer did?or failed to do?and why. For some retailers, the humiliation and embarrassment associated with such a disclosure might be worse than the penalties and that’s a good thing.

Retailers need a cost-benefit analysis that makes it worthwhile to heavily invest in security. They must constantly see what happens to companies that fail to comply and it’s critical that they must fear those consequences. Today, few retailers have that fear. Is the threat of rescinding a retailer’s ability to accept credit/debit cards a true deterrent if no retailer believes it will ever happen?

The next step is taking a much more strict position with PCI-compliance audits. The fact that the auditors in questions are paid by?and are given instructions by?the retailers being audited is the most textbook conflict-of-interest I’ve seen in quite some time. Why not have the auditors working for the credit card companies or the banks? Why not give the auditors the ability to explore any and all systems, as opposed to just the ones the retailer wants examined? The rules were written assuming that retailers would want to know what was really going on. But what if some key managers with that retailer were deliberately retaining forbidden data, perhaps for a CRM project? Is that Auditor Fox guarding the Retail Chickens?

When the retail and banking industries want to take security seriously, they already have the tools to do so. Until then, please forgive us if we’re yawning at a multi-year-in-the-making data breach (which wasn’t discovered for years). It’s hard to get worked up about a retailer not taking seriously something that the banking and credit firms don’t care about, either.


One Comment | Read PCI: The Toothless Security Effort

  1. Avery Sawaba Says:

    PCI has teeth. It just turns out, they’re dentures, and VISA’s taken them out and lost them under the couch cushions or somewhere.

    The article is spot-on regarding PCI’s issues. I think it is interesting that Mastercard was the one to announce that TJX was not in compliance, as VISA created PCI and is the most vocal about anything related to it. Mastercard used to have their own data security requirements, called SDP (Site Data Protection), but VISA was the one to really figure out what needed to be done, do it, and pull everyone else together on it (Amex, Discover, Mastercard). PCI is touted as an industry standard, supported by all the card associations, but it is still very much VISA backing it up, enforcing it and providing new content for the specific requirements.

    I can say that OCC audits, carried out by government-employed auditors, are VERY effective.

    The good news is that the foundation is there, and it is strong. If you follow the PCI requirements (which anyone can grab here:, you won’t be unhackable, but you will be very secure — more secure than the average corporation. That is step one. Step two is enforcing it. VISA does enforce the requirements, but I agree if they don’t do so publicly, how is the average consumer supposed to know if PCI is working or not? Technically, VISA and Mastercard aren’t required to announce when someone has been fined, but VISA does maintain this: If a service provider doesn’t pass PCI, their name comes off this list (in addition to fines, etc…). However, TJX isn’t a service provider, and I don’t know of a list that would show a Merchant’s PCI status.

    Personally, I think anyone’s (merchant, service provider, bank) PCI status should be public information, like a restaurant’s health code score. It is as much the consumer’s right to know their health risk as it is to know their financial equivalent as well.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.