http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=297167 By Brian Fonseca June 25, 2007 Computerworld LAS VEGAS -- A panel of financial services and retail executives this month disagreed on which side bears the brunt of the burden to ensure compliance with the Payment Card Industry (PCI) Data Security Standard. Executives from JPMorgan Chase & Co. and First Horizon National Corp. told an audience at Symantec Corp's Vision user conference here that high-profile data breaches at retailers like The TJX Companies Inc. are not originating from their side of the fence -- yet they must spend significant sums to make sure such incidents dont happen. The TJX incident was not a JPMorgan [data breach]; it wasnt at First Horizon or Citigroup. It was at a merchant. And yet all the plans to remediate that have been with the banks, said Christopher Leach, senior vice president and chief information security officer at Memphis-based First Horizon. Framingham, Mass.-based TJX disclosed early this year that more than 45 million credit and debit card numbers were stolen from two of its IT systems over an 18-month period. An AT&T Inc. executive, on the other hand, contended that banks have so far done little to share in the burden of ensuring credit and debit card security compared with businesses that accept such payments. The PCI standards were created by five credit card companies Visa International Inc., MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co. to protect credit card data before, during and after transactions. First Horizon, which operates in 43 states and claims $5 billion in annual revenue, is currently going through a costly new round of PCI certification efforts or, as Leach put it, trying to build that airplane as we build the runway. "We've discovered that PCI keeps changing, Leach said. We went down the path to be certified at one point and did a great deal of due diligence only to find out some of the requirements would change. One Visa analyst would say one thing, and another Visa analyst would say something very contradictory." Brian Glowacki, vice president and lead architect for global storage technology at JPMorgan in New York, agreed that banks are bearing an unfair security burden compared with merchants. Vanessa Pegueros, director of compliance services at AT&T, contended that banks are thumbing their noses at the PCI regulation, so we are paying the price. "We were doing a good job -- maybe not as fast as some would like, but we were on a plan and trying to meet the [PCI] requirements, Pegueros said. But [Visa is] trying to take a hard-line approach, and were caught in the middle. Now we have to adjust our plans." Gartner Inc. analyst Avivah Litan agreed that banks are not yet taking adequate measures to comply with the PCI standards. There has not been a lot of enforcement at the bank level, she said. All the enforcement scheduled has been on the processing and retailer side, so it has been unfair, frankly. Litan said retailers are upset because they believe that they are being held to a higher standard than banks in securing their systems. Bob Russo, general manager of the PCI Security Standards Council in Wakefield, Mass., said that both sides should work together to ensure that the cards are secure. This should not be a blame game, he said. The bottom line is, everyone who touches consumer payment card data has a responsibility to secure it. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 25 2007 - 22:33:36 PDT