Fed Official Questions Value of PCI Standards

June 3, 2011

In a recent blog post, an Atlanta Federal Reserve official questioned the value of the Payment Card Industry (PCI) data security council guidelines in the U.S. Cindy Merritt, assistant director of the retail payments risk forum said in the Atlanta Fed’s Portals and Rails blog that the rising incidence and sophistication of skimming scams should have the payments industry looking beyond PCI compliance. “The PCI security standards council has developed guidelines for retailers to best protect point-of-sale card readers to prevent card skimming, including how to detect device tampering,” she wrote. “As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective—a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology. The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses.” She acknowledged that a U.S. migration to EMV would be difficult and expensive because of the large number of card, networks, issuers and merchants involved. However, with so many countries, including most of Europe and Canada, making the switch, crooks are expected to concentrate on the U.S., pushing up skimming-related losses.