More Lawmakers Hear From Industry On Payments Security

06 March 2014

Various key players in payments and security got their chance on Wednesday to discuss with key lawmakers their views on how to shore up the security of the nation’s payments ecosystem during a hearing before the House Financial Services Committee’s Subcommittee on Financial Institutions and Consumer Credit.

Congress has been taking up the issue of payments security quite a bit lately, especially since the big breaches that affected Target, Neiman Marcus and other merchants. The Senate Banking, Housing and Urban Affairs Committee held a similar hearing in February. As did the House Energy and Commerce Subcommittee.

During yesterday’s hearing, representatives from various entities that had testified earlier again presented their views, including the Secret Service and Homeland Security. The PCI Security Standards Council, The Clearing House Payments Company, U.S. PIRG and the Financial Services Information Sharing and Analysis Center also were represented.

Issue is transnational

U.S. Secret Service Special Agent William Noonan noted that advances in computer technology and greater access to personally identifiable information online have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies.

“As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure,” he said in prepaidtestimony. “These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy.”

The recently reported data breaches of Target and Neiman Marcus are just the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals who are intent on targeting our Nation’s retailers and financial payment systems, Noonan said.

Collaboration a primary focus

Among the payments industry representatives, industry collaboration was a central focus of the strategies they discussed.

Troy Leach, the PCI Security Standard Council’s chief technology officer, cited the council as “an excellent example” of effective industry collaboration to develop private-sector standards. “Simply put, the PCI Standards are the best line of defense against the criminals seeking to steal payment card data,” he testified. “And while several recent high profile breaches have captured the nation’s attention, great progress has been made over the past seven years in securing payment card data through a collaborative cross-industry approach, and we continue to build upon the way we protect this data.”

No single silver bullet

Indeed, no one fix will cure the problem, and it will require efforts across the payments spectrum. In his testimony, David Fortney, senior vice president of product development and management at The Clearing House Payments Company, told the panel that EMV smart cards alone will not solve the breach problem. He suggested tokenization of card data also is necessary to protect payments information, and both it and EMV used together can form a formidable defense.

“The implantation of these two technologies – EMV and tokenization – will require cooperation amongst banks and merchants as the tangible benefits can only be achieved by moving in tandem,” he said in prepared testimony. “Tokenization mitigates the risk of sensitive data being compromised, greatly benefiting both consumers and merchants.”

Fortney recently was cited by Market Platform Dynamics CEO Karen Webster, who wrote in yesterday how the ripple effect from the recent breaches has, among other things, put the issue of whether the industry should pursue EMV as a fraud solution given that it’s 30-year-old technology.

Also testifying yesterday was Gregory T. Garcia, an advisor to the Financial Services Information Sharing and Analysis Center. He cited the organization’s information-sharing efforts as well as government and industry partnerships as being among the efforts to counter the recent rash of breaches.