March 11, 2012

When it comes to safeguarding credit cardholders' data, some financial institutions have fallen down on the job and failed to implement and maintain effective risk programs that comply with the data security standards of the Payment Card Industry (PCI). This failure often stems from the institutions' lack of understanding of how their operations fall within the scope of the standards.

The keystone of the PCI standards is the Data Security Standard (DSS), developed to enhance cardholder data security and facilitate globally consistent data security measures. The standard establishes 12 technical and operational requirements and applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data.

Card brands have focused primarily on PCI compliance efforts of the banks with direct connections to the card brands, service providers and merchants, but have devoted much less attention to the compliance efforts, or lack of efforts, of the banks not connected directly to the card network. Likewise, card issuers and banks that outsource merchant services typically have given little thought to PCI compliance.

A bank's management team might believe the standards don't apply because the bank owns the data related to the cards they issue. However, every bank that issues credit cards is a member of a card association, and members are contractually obligated to follow the operating rules defined by the association -- rules that specifically require compliance with PCI DSS and other standards that govern the security and handling of card and PIN data.

Until recently, regulators have had little to say about PCI compliance. However, the Information Technology Examination Handbook, published by the Federal Financial Institutions Examination Council (FFIEC), addresses retail payment systems and cautions participating banks about their responsibilities regarding PCI compliance. For example, the handbook notes that credit card associations require acquiring banks to verify that their merchants and third-party service providers comply with the DSS. Card associations also require issuing banks that use third-party service providers for transaction processing to confirm that the providers are in compliance. In addition, the FDIC recently released revised guidance on performing due diligence on these payment processors that suggests banks failing to adequately manage these relationships might be viewed as facilitating fraudulent activity and could be held liable.