The three major credit reporting agencies plan to make companies send them consumer information in standardized encryption formats.
Equifax Inc., Experian Inc., and TransUnion LLC announced Thursday that they had established a coordinated program for all data sent to them, from banks and other financial services companies.
Though the major credit card companies have all imposed security standards for merchants, processors, and acquirers, security experts say that the security requirements for issuing banks are unclear. The bureaus' new encryption rules could help, though they may also increase banks' costs.
The credit bureaus require the use of either the Advanced Encryption Standard or the Triple Data Encryption Standard ("Triple DES") - at the sender's choice - with at least 128-bit encryption. The two are widely used to protect sensitive financial data.
David Rubinger, a spokesman at Equifax, said that each bureau would work separately with its customers to establish a time line for compliance.
The bureaus plan to penalize those that refuse to comply, he said. They have not come up with a common penalty system, however, Mr. Rubinger said; each bureau will consider each case separately.
Letters notifying customers were sent out this week.
Stuart Pratt, the president and chief executive of the Consumer Data Industry Association, called the bureaus' new rules "progressive and necessary." The standards "make the implementation of encryption a single, straightforward choice for all - from the largest financial institutions to the smallest market lenders," he said in a press release.
Mr. Pratt was scheduled to testify Thursday at a Senate Banking Committee's hearing on security.
Jessica Iben, a spokeswoman from JPMorgan Chase & Co. said, "We fully support these new efforts by the three credit reporting agencies to increase the security of sensitive customer information. From our point of view, we do not anticipate any problems complying with the revised standards."
Analysts said the requirements were long overdue.
Encryption just makes sense," said Bruce Cundiff, an analyst at Javelin Strategy and Research. "The question is, why haven't they done this before?"
The path data takes to the bureaus is one of the "weak links in the chain," he said, so it is "good that they are shoring up the weak spots."
Mr. Cundiff compared the credit bureaus' effort to the Payment Card Industry Data Security Standard that Visa U.S.A., MasterCard International, American Express Co., and Discover Financial Services adopted in January.
This program requires merchants and member service providers that store, process, or transmit cardholder data to adhere to a variety of rigorous data-security procedures. These include using firewalls, using and updating antivirus software, and encrypting data in transit.
"There is this new vision of enforcement that might have trickled down to the credit bureaus," Mr. Cundiff said. "The bureaus may be modeling their new policies to the card networks since the two are inherently linked."
However, Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said the rules do not provide clear guidance for issuing banks and credit bureaus.
"There is a clear penalty for companies that accept credit cards - for merchants, and for processors - but nothing I've seen on the issuer side," she said.
Ms. Litan said she has received inquiries from issuing banks asking for advice on how they should protect their data because the PCI standard is so unclear.
According to the analyst, issuing banks encrypt less than half of their consumer data. Indeed, Citigroup Inc. said in June that it had lost unencrypted computer tapes containing consumer data while they were in transit to a credit bureau.
"You can't assume that the data is being encrypted if a company like Citibank" loses unencrypted tapes, Ms. Litan said.
Yet Donald Girard, an Experian spokesman, said many of his company's clients are already encrypting data.
"Nothing is new here; we're just accelerating the process," he said. "Everyone understands that the important thing is to keep data protected and safe."
The banking industry is already familiar with the format; Visa and MasterCard have ordered that all automatic teller machines accepting their cards have PIN pads that use Triple DES.
Banks have had to upgrade just about every ATM in the field. MasterCard's April 1 deadline was deferred for many banks to yearend.
