The protection of financial data linked to payments cards and online accounts is increasingly being scrutinized by federal regulators.
Incidents of card data exposure, such as the August 2011 online breach at Citibank, get regulators' attention. And sources say banking examiners are increasingly asking tougher questions about the protection of consumer data. [See Citi Breach Exposes Card Data.]
Cary Whaley of the Independent Community Bankers Association says federal regulators during regular IT exams are often asking institutions to show exactly how they are protecting this data. "The biggest accountability for the community bank is for the customer," Whaley says. "Community banks [and institutions, generally] want to ensure that the data is protected. Priority No. 1 is data security; that's always the biggest the concern."
Guidance for the oversight of third-party payments processers, issued earlier this month by the Federal Deposit Insurance Corp., and updated online authentication guidance issued in June 2011 by the Federal Financial Institutions Examination Council are two examples that highlight renewed regulatory interest in PII protections.
Some of those enhanced requirements mirror security mandates outlined in the Payment Card Industry Data Security Standard.
Regulators may turn to the PCI-DSS as a complementary standard, but it's not something regulators can enforce. It is, however, a guideline regulators can reference when evaluating an institution's overall security, and experts say banks and credit unions should do more to adhere to the security tenets outlined within the PCI-DSS.
Banks and PCI
The PCI-DSS, aimed mainly at merchants, is critical for best practices, especially where the protection of PII is concerned. And while most banking institutions do have measures in place to protect consumers' PII, the majority could improve techniques and solutions used to mitigate risks. When it comes to the industry's understanding of PII, it's really a mixed bag.
Avivah Litan, a distinguished analyst at Gartner, says banks historically have done poor jobs of viewing PII from more than a check-box auditing perspective. "PCI is a vague policy, and no one at the bank is using it to become secure," she says.
Financial institutions have focused more attention on audits for ISO 27001, a standard that requires fewer specifics about encryption.
As a standard, the PCI-DSS applies more to the merchants, because merchants are not regulated like banks. But all financial institutions, even non-card-issuing institutions that fall outside purview of compliance, can benefit from following and applying the security guidelines listed in the DSS.
The PCI Security Standards Council says the PCI-DSS sets a baseline for card security - one that complements local and federal laws and regulations. Regulatory requirements may require specific protection of PII or other data, like a cardholder's name. Those same requirements might also outline an institution's or business's disclosure practices if consumer information is exposed.
The PCI-DSS calls for:
- Protecting stored account information. Any entity that stores, processes or transmits a primary account number must comply with the PCI-DSS apply.
- Protecting any PII connected with the card transactions. If a cardholder's name, service code or card expiration date is attached to a transaction, and thus stored, processed or transmitted with the account number, it also must be protected in accordance with the PCI -DSS.
The lesson for banks and credit unions: Protecting consumer privacy is critical, and the PCI-DSS provides practical guidance for cardholder protection. Understanding and applying those guidelines, even if not mandated, enhances PII protections.
William Henley, a former regulator who now serves as the senior vice president of regulation for BITS, the technology division of the Financial Services Roundtable, says regulatory agencies evaluate data security based on the FFIEC IT handbooks, "particularly the information security booklet," he says, and have up to now had little need to reference PCI standards.
Greg Hernandez, a spokesman for the FDIC, says the PCI-DSS is a self-regulatory framework for the protection of payment card information, and falls outside the purview of FDIC enforcement. "But the requirements for protecting sensitive consumer/customer information are consistent with the requirements of the (Gramm-Leach-Bliley Act) GLBA 501(b) Information Security Standards, for which the FDIC is responsible," he says.
Overlap does exist. And the expectation is that regulatory examinations will be more detailed. "It can just be another compliance exercise, in a day and age when there are quite a few compliance exercises," Whaley says.
David Navetta, an attorney who specializes in IT security, says regulators and the card brands likely have some concerns about how banks and credit unions respond to card-data protections outlined within standards such as the PCI-DSS.
"It seems pretty straight forward for a regulator to look at other industry standards when it comes to the guidance they have to enforce," he says. Regulators could use PCI guidelines as a benchmark for reasonable security.