CHICAGO—Last week, the PCI Security Standards Council pushed advanced encryption as a way to protect consumers’ card data. But one point-of-sale vendor executive contends authentication at every step of the payments process would work better to combat fraud.
Company executives gathered at the Federal Reserve Bank of Chicago Sept. 26 to discuss the rise of online-payments fraud and how to secure remote payments, which also includes mobile transactions. Card-not-present transactions were intended to be the primary focus of one session but partly turned into a criticism of the PCI Council and its standards.
Annmarie Hart, president of MagTek Inc., said she believes the council is doing more harm than good in its stated mission to protect cardholder data. Hart went so far as to frame PCI as a “false god” when it comes to fraud prevention.
“We’re told 60% of merchants are PCI-complaint, but we continue to hear about breaches,” Hart told attendees at the Fed’s one-day payments symposium. “Have we questioned whether the protocols are ineffective?”
The PCI Council’s focus should center on authenticating data from the moment a card is swiped at the point of sale until it arrives to the issuer for processing, Hart said.
“It’s authentication that actually buys you security, and it’s authentication as an industry that we need to move to,” Hart told PaymentsSource in an interview. “You don’t see any activity coming out of PCI on the subject of authentication.”
The PCI Council’s stated mission is to protect card data, but the organization is the “ultimate observer of the status quo” in terms of preventing fraud, Hart told conference attendees.
“PCI is all about compliance and not about fraud reduction,” Hart said during her interview with PaymentsSource. “As a business model, if [the council] really wanted to do a service to the industry, they should reevaluate their business proposition and mission."
The council’s ultimate mission should be to put itself out of business, Hart believes.
“Make the payments world secure enough that we don’t need all these goofy rules and extra audits,” she said.
Hart was not the only conference speaker criticizing the PCI process.
Terry Dooley, senior vice president and chief information officer at the Shazam electronic funds transfer network, told attendees his organization spends millions to comply with PCI standards. But if the network makes a change to its software, the council’s rules no longer deem the network secure.
“You’re considered secure for about 30 minutes the whole year,” Dooley said.
Dooley also pushed authentication as the best method to reduce fraud and said the council should place more emphasis on the use of PINs.
“There are a number of different companies touting technology that focuses on the PIN,” Dooley said. “That will strengthen security more.”
What do you think about this? Send us your feedback.
