IMGCAP(1)]
A House of Representatives subcommittee yesterday questioned the effectiveness of the Payment Card Industry data security standard in a hearing on cybercrime. The PCI standard sets security requirements for companies that handle payment card data with the goal of preventing breaches and reducing the amount of information stored by merchants. Visa said last month that 90% of the merchants in its largest two merchant categories have passed PCI assessments. Rep. Yvette D. Clarke, D-N.Y., who chairs the Committee on Homeland Security's subcommittee on emerging threats, cybersecurity and science and technology, said the standard is of "questionable strength and effectiveness." Though the payment industry describes it as common foundation upon which merchants should base their security plans, Clarke said that to many, "the PCI standards are the ceiling not the floor. The bar must be raised." Bob Russo, general manager of the PCI security standards council, and Joe Majka, Visa Inc.'s global head of fraud control and investigations, both stressed that PCI improves security and that no breached entity has proven compliant with the PCI standard at the time of a breach, even if it had passed an earlier assessment. Representatives of retailers were critical of PCI. Michael Jones, chief information officer of Michaels Stores Inc., said the main issue with PCI is one of agenda. The standard "has been developed from the perspective of the card companies, rather than those who are expected to follow them." Dave Hogan, the National Retail Federation's senior vice president and chief information officer, summarized the PCI standard as a "tool to shift risk off the bank and credit cards' balance sheets and place it on others. "
