Information Security & US & Life & Love & Fashion & Hacking & Passion

Criminal hackers aren't just hard to catch. They're also hard to blame.

In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted.

So in a hearing Tuesday, the House of Representative's Committee on Homeland Security took aim at a more accessible target: credit card companies like Visa and MasterCard (nyse: MA - news - people ), which are responsible for creating and enforcing the Payment Card Industry (PCI) standards that failed to prevent those breaches.

Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies.

"I don't believe that PCI standards are worthless," said Rep. Yvette Clark, D-N.Y., who led the hearing. "But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not."

Clark called for changes to the standards that included better encryption of data, more frequent updates to the rules to keep up with constantly shifting cybercriminal tactics and new technologies for preventing identity theft like "chip and PIN" cards--a system currently used in Britain that checks personal identification numbers against a tiny microchip in the card itself.

Behind those recommendations loomed the threat of legislation. Rep. Bennie Thompson, D-Miss., the Homeland Security Committee's chairman, suggested that the PCI rules were written by card companies to shift blame to retailers and partners rather than actually preventing cybercrime.

"I'm concerned that as long as the payment card industry is writing the standards, we'll never see a more secure system," Thompson said. "We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they're inadequate to address the ongoing threat."

Congress's growing attention to obscure payment-card security practices is the result of a steady increase in the number of data breaches nationwide, combined with several high profile information spills in the last year.

The Identity Theft Resource Center counted 646 data breach incidents in 2008, a 47% increase over 2007's total of 446 breaches, itself a record for the most breaches tallied in a single year. (See: "Data Security's Worst Year Yet.")

Those dismal numbers were followed by another shock to the world of cybersecurity: the revelation in January of a breach at Princeton, N.J.-based Heartland that potentially revealed more than a hundred million credit card numbers to hackers--the most of any breach in history. Heartland, like several major breach victims before it, had been approved as compliant with the card industry's security standards.

At Tuesday's hearing, retailers chimed in with their own criticisms of those standards. Michael Jones, the chief information officer at the retail company Michael's, testified that the PCI rules were "expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement."

He argued that the rules were sloppily written and designed to shield card companies from blame. In some cases, he said, card companies required retailers to store more credit card information than is necessary, increasing the risk of data theft. He also pointed to financial services firms that aren't prepared to deal with encrypted transaction data, forcing retailers to send the transactions unencrypted and exposed to potential data thieves.

In breach situations, on the other hand, the retailer takes the brunt of the punishment for any breach of consumer data loss. "The retailer is demonized, the retailer is threatened with damages and sanctions," Jones complained.

Representatives from the payment card industry countered those attacks on PCI standards, arguing that more stringent rules and new technological requirements could be costly for small merchants. "Encryption is an expensive proposition," argued Robert Russo, director of the PCI's Data Security Standards Council. "If we make this mandatory in the standard, there are a number of merchants that will not be able to afford this immediately."

Both Russo and Joseph Majka, head of fraud control for Visa, testified that no company that has suffered a breach has ever been fully compliant with PCI rules.

But in fact, the industry certified both Hannaford and Heartland and only criticized their security measures after their networks were breached. Rep. Ben Ray Lujan, D-N.M., compared the regulatory group to a fire department that declares a home's safety system inadequate after a fire. "There's no one overseeing this. … In the case of breaches, we often depend on the Department of Justice to inform people," he said. "It seems to me that the system we have today, we can all agree, from different sides, it's not working."

A report released Oct. 8 by the U.S. Citizenship & Immigration Services (USCIS) reveals that 13% of petitions filed for H-1B visas on behalf of employers are fraudulent. Another 8% contain some sort of technical violations.

The study, released to members of the U.S. Senate Judiciary Committee, marks the first time the agency, part of the Homeland Security Dept., has documented systematic problems with the controversial program. Technology companies, in particular, have come to rely on the H-1B visa program to bring in skilled foreign workers to fill jobs that employers claim can't be filled with U.S. candidates. Tech companies like Oracle (ORCL), Microsoft (MSFT), and Google (GOOG) have pushed to get more visas, claiming that a shortage of skilled workers is hampering U.S. competitiveness. Microsoft Chairman and co-founder Bill Gates has twice testified in front of Congress on the issue.

Critics say H-1Bs help U.S. companies replace American workers with less costly foreign workers. "The report makes it clear that the H-1B program is rife with abuse and misuse," says Ron Hira, assistant professor of public policy at the Rochester Institute of Technology. "It shows the desperate need for an auditing system." However, both Presidential candidates, Senator Barack Obama (D-Ill.) and Senator John McCain (R-Ariz.), have said they support expanding the program.

Program Abuses Alleged

A USCIS spokesperson was not immediately available for comment. The report's conclusion states: "Given the significant vulnerability, USCIS is making procedural changes, which will be described in a forthcoming document." A spokeswoman, Beth Pellett Levine, says Senator Chuck Grassley (R-Iowa), a longtime critic of the H-1B program, is drafting a letter to USCIS in response to the study.

The H-1B visa program has become increasingly controversial in recent years as groups such as the Programmers Guild and WashTech, which represent U.S. tech workers, allege it is being abused, resulting in mistreatment of foreign workers, wage depression, and the displacement of U.S. workers. The program was originally set up to allow companies in the U.S. to import the best and brightest in technology, engineering, and other fields when such workers are in short supply in America. But data released this year by the federal government show that offshore outsourcing firms, particularly from India, dominated the list of companies that were awarded H-1B visas to employ workers in the U.S. (BusinessWeek, 3/6/08) in 2007. Indian outsourcers such as Infosys (INFY), Wipro (WIT), and Tata (TCS.NS) accounted for nearly 80% of the visa petitions approved last year for the top 10 participants in the program.

There is also evidence that workers on H-1B visas are being mistreated. In a pending case (BusinessWeek, 1/31/08), H-1B workers for State Farm Insurance allege they were underpaid.

Critics say such instances of abuse represent the tip of an iceberg of deeper problems with the visa program. Academics and U.S. tech worker advocates point out the requirement that even employers who abide by the law—for example by paying the required "prevailing wage"—are able to underpay workers .