Demanding Stronger Card Security

Examiners Turn Up Heat on How Institutions Protect Consumer Info

By , February 27, 2012.
Demanding Stronger Card Security

The protection of financial data linked to payments cards and online accounts is increasingly being scrutinized by federal regulators.

See Also: Data Breach Battle Plans for Financial Services

Incidents of card data exposure, such as the August 2011 online breach at Citibank, get regulators' attention. And sources say banking examiners are increasingly asking tougher questions about the protection of consumer data. [See Citi Breach Exposes Card Data.]

Cary Whaley of the Independent Community Bankers Association says federal regulators during regular IT exams are often asking institutions to show exactly how they are protecting this data. "The biggest accountability for the community bank is for the customer," Whaley says. "Community banks [and institutions, generally] want to ensure that the data is protected. Priority No. 1 is data security; that's always the biggest the concern."

Guidance for the oversight of third-party payments processers, issued earlier this month by the Federal Deposit Insurance Corp., and updated online authentication guidance issued in June 2011 by the Federal Financial Institutions Examination Council are two examples that highlight renewed regulatory interest in PII protections.

Some of those enhanced requirements mirror security mandates outlined in the Payment Card Industry Data Security Standard.

Regulators may turn to the PCI-DSS as a complementary standard, but it's not something regulators can enforce. It is, however, a guideline regulators can reference when evaluating an institution's overall security, and experts say banks and credit unions should do more to adhere to the security tenets outlined within the PCI-DSS.

Banks and PCI

The PCI-DSS, aimed mainly at merchants, is critical for best practices, especially where the protection of PII is concerned. And while most banking institutions do have measures in place to protect consumers' PII, the majority could improve techniques and solutions used to mitigate risks. When it comes to the industry's understanding of PII, it's really a mixed bag.

Avivah Litan, a distinguished analyst at Gartner, says banks historically have done poor jobs of viewing PII from more than a check-box auditing perspective. "PCI is a vague policy, and no one at the bank is using it to become secure," she says.

Financial institutions have focused more attention on audits for ISO 27001, a standard that requires fewer specifics about encryption.

As a standard, the PCI-DSS applies more to the merchants, because merchants are not regulated like banks. But all financial institutions, even non-card-issuing institutions that fall outside purview of compliance, can benefit from following and applying the security guidelines listed in the DSS.

The PCI Security Standards Council says the PCI-DSS sets a baseline for card security - one that complements local and federal laws and regulations. Regulatory requirements may require specific protection of PII or other data, like a cardholder's name. Those same requirements might also outline an institution's or business's disclosure practices if consumer information is exposed.

The PCI-DSS calls for:

  • Protecting stored account information. Any entity that stores, processes or transmits a primary account number must comply with the PCI-DSS apply.
  • Protecting any PII connected with the card transactions. If a cardholder's name, service code or card expiration date is attached to a transaction, and thus stored, processed or transmitted with the account number, it also must be protected in accordance with the PCI -DSS.

The lesson for banks and credit unions: Protecting consumer privacy is critical, and the PCI-DSS provides practical guidance for cardholder protection. Understanding and applying those guidelines, even if not mandated, enhances PII protections.

William Henley, a former regulator who now serves as the senior vice president of regulation for BITS, the technology division of the Financial Services Roundtable, says regulatory agencies evaluate data security based on the FFIEC IT handbooks, "particularly the information security booklet," he says, and have up to now had little need to reference PCI standards.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE President Obama Signs USA Freedom Act

Hours after the Senate approved the USA Freedom Act, President Obama signed the legislation to...

Latest Tweets and Mentions

ARTICLE President Obama Signs USA Freedom Act

Hours after the Senate approved the USA Freedom Act, President Obama signed the legislation to...

The ISMG Network