The effectiveness of the Payment Card Industry data security standard was called into question during a House subcommittee hearing on cybercrime.
Rep. Yvette D. Clarke, D-N.Y., who chairs the Committee on Homeland Security's subcommittee on emerging threats, cybersecurity and science and technology, said at Tuesday's hearing that the security standard is of "questionable strength and effectiveness."
The payments industry describes PCI as the foundation upon which merchants should base their security plans, but Clarke said that to many, "the PCI standards are the ceiling, not the floor."
Bob Russo, the general manager of the PCI Security Standards Council, and Joe Majka, Visa Inc.'s global head of fraud control and investigations, said that PCI improves security and that no breached entity has proven compliant with the PCI standard at the time of the breach, even if it had passed an earlier assessment.
Retail executives and representatives also were critical of PCI. Michael Jones, the chief information officer of Michaels Stores Inc., a crafts chain based in Irving, Tex., told the panel that the main problem with PCI is that it "has been developed from the perspective of the card companies, rather than those who are expected to follow" the standard.
Dave Hogan, the National Retail Federation's senior vice president and chief information officer, called PCI "a tool to shift risk off the bank and credit cards' balance sheets and place it on others."
