US holds hearing on data security

The US House of Representatives subcommittee on Financial Institutions and Consumer Credit is to hold a hearing on data security

The US House of Representatives subcommittee on Financial Institutions and Consumer Credit is to hold a hearing on data security this week.

The hearing comes in the wake of several data breaches at US companies and educational institutions including the retailer Target and the University of Maryland.

The House Committee on Financial Services said these data breaches underscore the serious threats to financial privacy and data security posed by individuals and criminal syndicates that seek access to personal financial information to commit fraud or identity theft.

The purpose of these hearings is to provide members of the subcommittee with a better understanding of why and how these breaches occur; what happens during and after a breach; what security measures are in place to prevent breaches and what types of payment system technologies are on the horizon that will help reduce the risk of future breaches.

Witnesses include representatives of the US Secret Service, US Department of Homeland Security, US Consumer Program, The Clearing House Payments Company and the Payment Card Industry Security Standards Council (PCI SSC).

Bob Russo, general manger of the PCI SSC, said the hearing will highlight the seriousness and complexity of data security issues and why businesses need to develop a multi-layered approach to protecting their customers.

“The PCI Standards provide a strong foundation for this approach, helping organisations make payment security part of their everyday business practices by addressing people, process and technology.

“We look forward to continuing our role as a leader in this area and building on the thoughtful and constructive dialogue to date with policy makers. 

“We all want the same goal - systems that protect consumer data security from criminals,” he said.

Read more about PCI DSS

Representing the PCI SSC is chief technology officer Troy Leach, who is expected to tell the hearing that while there is no single technology to secure payment card data, the PCI SSC is an excellent example of effective industry collaboration to develop private sector standards.

“The PCI [Data Security] Standards (PCI DSS) are the best line of defence against the criminals seeking to steal payment card data,” he is expected to say.

“And while several recent high profile breaches have captured the nation's attention, great progress has been made over the past seven years in securing payment card data through a collaborative cross-industry approach, and we continue to build upon the way we protect this data,” Leach will say.

In 2011, the Ponemon Institute, a non-partisan research centre dedicated to privacy, data protection, and information security policy wrote: “The Payment Card Industry Data Security Standard (PCI DSS) continues to be one of the most important regulations for all organisations that hold, process or exchange cardholder information.”

Leach will say that while the PCI SSC is pleased to have earned accolades such as this, it cannot rest on its laurels. “The recent breaches at retailers underscore the complex nature of payment card security. A complex problem cannot be solved by any single technology, standard, mandate, or regulation. It cannot be solved by a single sector of society – business, standards-setting bodies, policymakers, and law enforcement – must work together to protect the financial and privacy interests of consumers,” he will say.

Leach will say there is no time to waste. “The PCI SSC and business must commit to promoting stronger security protections while Congress leads efforts to combat global cyber-crimes that threaten us all,” Leach is expected to conclude.

Read more on Privacy and data protection