Today, the American Hotel & Lodging Association (AH&LA), along with several other similar trade associations, sent a formal written joint request to the Payment Card Industry (PCI) Security Standards Council.  In that request, they listed several recommendations that they believed would make their use of the PCI credit, debit and gift card usage more cost effective and, at the same time, a more efficient process.

As we have seen in several prior postings on this blog concerning the credit card industry, information security and privacy requirements of that industry, there is a growing concern by federal, state and local regulatory agencies that more needs to be done to secure the rights of an individual’s privacy whenever they transact purchases with their credit and debit cards.

The presented recommendations for change in this article are a great listing of continuous improvements that should, if implemented, reduce costs of compliance for all parties involved.

In this article, it was implied that if the PCI Council does not heed their concerns, then full agreement was reached to pursue other available options — i.e. legislative action(s) in Congress or regulatory changes. 

Do you agree with this action by the AH&LA?

Click here to read this article.

We believe that the new government website www.govinfosecurity.com is a useful tool for obtaining securityand privacy related activities.  The central theme in a recent article by Eric Chabrow, Managing Editor, stated that quick notification of breaches of computer systems must be given to law enforcement officials.  The point was made because surveys and experience indicate that data breaches are significantly underreported.    

 The example of a recent data breach at the restaurant chain Dave & Buster was cited and explored for reasons why Congress should now enact legislation to compel such action.

Do you agree with this recommendation to Congress?  Or, do you believe that the levels of security provided by the PCI-DSS requirements are already enough to have in place to deal with the data breach problem?

Click here to read this article.

In this recent article published by the Associated Press (AP), Jordan Robertson, AP Technology Writer we can read about conflicting status reports about the credit card industry.  The basis of this article comes from the results of the AP’s analysis of data breaches going back to 2005 — bottom line findings — the rules of the credit card industry’s efforts, as contained in their PCI-DSS policies,  are  cursory at best and all but meaningless at worst.

Another claim made  in this article also states that a key reason the industry established the PCI-DSS policies was that the banks and card brands really don’t want the government regulating credit card security.  These companies also want to be sure that their transactions keep working will throughout their systems — which at the same time, could be a reason why those same banks and card brands are willing to tolerate certain percentage levels of fraud within their systems.  To some degree, fraud is seen as a cost of doing business and if too many security measures are added, then the “gears of the payment system” — which is built on speed, convenience and low cost — would not work at the current levels of requiered efficiency.  Result — these motivations and drivers seem to be  at odds with the levels of security required by recent surveys from consumer groups and from the current language of consumer protection coming from the federal government.

Yet, there seems to be no debate that identity theft, data breach and consumer data protection in general are on the rise, and, that the credit card industry is one of the areas where these increases of breach activity have occurred over the last few years. 

We welcome your thoughts, comments and opinions on this controversial topic ….

Click here to read this article.