Visa: Criticism of PCI standard 'misplaced'

Visa has dismissed "recent rumblings" about the possible demise of PCI data security rules.


Visa has dismissed "recent rumblings" about the possible demise of PCI data security rules.

The rumours were "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure, the company's top risk management executive said.

Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly."

Richey added that breaches such as the ones at Heartland Payment Systems and RBS WorldPay were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year.

"I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" - and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey.

"As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."

Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach.

"While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.

Richey's defence of PCI DSS and criticism of Heartland come as Visa, which has taken the lead among credit card companies in seeking to enforce the standard, is itself facing some criticism over its enforcement actions.

"Recommended For You"

Visa warns merchants who don't meet PCI deadline Fear driving retailers to adopt security controls