Visa, MasterCard In Security Hot Seat

Criminal hackers aren't just hard to catch. They're also hard to blame.

In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted.

So in a hearing Tuesday, the House of Representative's Committee on Homeland Security took aim at a more accessible target: credit card companies like Visa and MasterCard (nyse: MA - news - people ), which are responsible for creating and enforcing the Payment Card Industry (PCI) standards that failed to prevent those breaches.

Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies.

"I don't believe that PCI standards are worthless," said Rep. Yvette Clark, D-N.Y., who led the hearing. "But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not."

Clark called for changes to the standards that included better encryption of data, more frequent updates to the rules to keep up with constantly shifting cybercriminal tactics and new technologies for preventing identity theft like "chip and PIN" cards--a system currently used in Britain that checks personal identification numbers against a tiny microchip in the card itself.

Behind those recommendations loomed the threat of legislation. Rep. Bennie Thompson, D-Miss., the Homeland Security Committee's chairman, suggested that the PCI rules were written by card companies to shift blame to retailers and partners rather than actually preventing cybercrime.

"I'm concerned that as long as the payment card industry is writing the standards, we'll never see a more secure system," Thompson said. "We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they're inadequate to address the ongoing threat."

Congress's growing attention to obscure payment-card security practices is the result of a steady increase in the number of data breaches nationwide, combined with several high profile information spills in the last year.

The Identity Theft Resource Center counted 646 data breach incidents in 2008, a 47% increase over 2007's total of 446 breaches, itself a record for the most breaches tallied in a single year. (See: "Data Security's Worst Year Yet.")

Those dismal numbers were followed by another shock to the world of cybersecurity: the revelation in January of a breach at Princeton, N.J.-based Heartland that potentially revealed more than a hundred million credit card numbers to hackers--the most of any breach in history. Heartland, like several major breach victims before it, had been approved as compliant with the card industry's security standards.

At Tuesday's hearing, retailers chimed in with their own criticisms of those standards. Michael Jones, the chief information officer at the retail company Michael's, testified that the PCI rules were "expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement."

He argued that the rules were sloppily written and designed to shield card companies from blame. In some cases, he said, card companies required retailers to store more credit card information than is necessary, increasing the risk of data theft. He also pointed to financial services firms that aren't prepared to deal with encrypted transaction data, forcing retailers to send the transactions unencrypted and exposed to potential data thieves.

In breach situations, on the other hand, the retailer takes the brunt of the punishment for any breach of consumer data loss. "The retailer is demonized, the retailer is threatened with damages and sanctions," Jones complained.

Representatives from the payment card industry countered those attacks on PCI standards, arguing that more stringent rules and new technological requirements could be costly for small merchants. "Encryption is an expensive proposition," argued Robert Russo, director of the PCI's Data Security Standards Council. "If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately."

Both Russo and Joseph Majka, head of fraud control for Visa, testified that no company that has suffered a breach has ever been fully compliant with PCI rules.

But in fact, the industry certified both Hannaford and Heartland and only criticized their security measures after their networks were breached. Rep. Ben Ray Lujan, D-N.M., compared the regulatory group to a fire department that declares a home's safety system inadequate after a fire. "There's no one overseeing this. … In the case of breaches, we often depend on the Department of Justice to inform people," he said. "It seems to me that the system we have today, we can all agree, from different sides, it's not working."