Is your credit card data well enough protected?

The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of the convenience of credit card companies and their financial institution partners, retail representatives told the US Congress on Tuesday.

In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.

The credit card industry maintained at a congressional hearing on Tuesday that self-regulation is effective, pointing out that since the PCI standards were published, security breaches have occurred only when an entity is not fully in compliance with the standards.

"I have no doubt that compliance to PCI standards are the best line of defence," said Robert Russo, director of the PCI Data Security Standards Council. "We have never found a breached entity to be in full compliance at the time of breach."

Yet representatives of the retail industry told a panel of the House Homeland Security Committee that when the credit card industry established the PCI standards in 2004, it did so mainly to reallocate its own fraud costs.

"In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is," said Dave Hogan, senior vice president and chief information officer for the National Retail Foundation. "In significant part, [it is] a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."

Michael Jones, the CIO for US arts and crafts retailer Michaels Stores, backed up Hogan's comments with the fact that the credit card companies' financial institutions do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.

Transferring this data unencrypted can lead to breaches like the Heartland breach, or the 2007 TJX breach that compromised 45.7 million customer accounts, Jones said. Michaels has been asking for the past three years for the ability to encrypt transaction information, he said.

"The need is not there," to encrypt the information, given other security steps the PCI calls for, Russo said. "Why put merchants through the expense?"

Joseph Majka, head of fraud control and investigations for Visa, said the industry is exploring new technologies, including end-to-end encryption, that could provide a solution.

"I wouldn't call [encryption] an emerging technology," Jones responded. "I feel that it should have been in the standard long ago."

Hogan said the PCI Security Standards Council has ignored a number of other recommendations from the retail industry, such as allowing consumers to enter a personal identification number for credit card transactions.

The Council should consider updating its standards more frequently, said Rita Glavin, acting assistant attorney general in the criminal division of the Justice Department. It should also consistently inform federal law enforcement when breaches occur, she said.

"It helps us get a sense of what's going on so that we can get in front of the problem," Glavin said.

Even though it may not be perfect, she said the PCI standards are beneficial.

"Having any security system and uniform systems are going to help," Glavin said. "It's a floor and a way to begin the process of preventing breaches."

Original article: Retailers: Credit card data inadequately protected from CNET News.com