Merchant Group Pushes Card-Security Standard in Parallel to PCI

A payments-focused group of heavyweight merchants is emerging from obscurity to push for new standards to protect credit and debit card data. But just how these standards would complement or possibly conflict with the existing Payment Card Industry data-security standard (PCI) remains unknown. The organization, called the Merchant Advisory Group, or MAG, formed in 2005 as an informal way for large merchants whose card transactions were processed by what was then Chase Merchant Services to discuss common payment-related issues. It held its first conference last October, formed several task forces, and hired a former Southwest Airlines Inc. executive, Dodd Roberts, as its president and chief executive. Irving, Texas-based MAG's membership generates about $250 billion in payments volume. Members include such retailers as Home Depot, JCPenney, and CVS Caremark, travel-related merchants such as Continental Airlines, Southwest Airlines, Marriott International, and an assortment of petroleum companies and well-known names in e-commerce and specialty retail. So-called sponsors include merchant acquirers such as First Data Corp., U.S. Bancorp's Elavon subsidiary, Heartland Payment Systems Inc., RBS WorldPay, PayPal Inc., and some other payments-industry vendors. MAG concerns itself with member education and non-competitive industry issues, including data security. MAG is one of the backers of an effort by the Accredited Standards Committee X9 (ASC X9) to develop a new standard to protect cardholder data. ASC X9 is accredited by the American National Standards Institute (ANSI), a body that sets voluntary standards for members of a broad range of industries. For example, ASC X9 helped develop standards for credit card magnetic stripes and ATM systems. Heartland, an ASC X9 member that three months ago disclosed a major breach of its computer systems (Digital Transactions News, Jan. 20), announced the new initiative Wednesday. A Heartland spokesperson says the standards initiative is not an effort to distract attention from its breach, the size of which still hasn't been disclosed but which many industry sources believe is one of the largest, if not the largest, compromise of card data ever. “I don't think so at all, and in fact Heartland has been eager to discuss the data breach since Day 1,” the spokesperson tells Digital Transactions News. Days after announcing the breach, Heartland chief executive Robert O. Carr called for end-to-end encryption of card data during the transaction process. “The ball is rolling and has been rolling,” the spokesperson says. “Bob Carr turned his attention to end-to-end encryption about a year and a half ago. The data breach caused us to enhance that effort.” Heartland will play host to an initial planning meeting May 7 in Plano where industry experts will discuss technical security issues related to what the processor calls the “Sensitive Card Data Protection Between Device and Acquiring System” initiative. Ideas generated at that meeting will be presented at an ASC X9 standards-development meeting June 1-5 in Foster City, Calif. MAG's Roberts tells Digital Transactions News that the standards-setting process can take anywhere from several months to two years, and that MAG is “interested in this going as fast as possible.” Some MAG members may lend personnel to aid in development of the standards, he adds. The X9 initiative, however, raises the question of how any new or enhanced existing standard would work with PCI, whose stringent rules the card networks require merchants and processors to meet. Merchants often complain about the cost and difficulty of attaining PCI compliance, and some companies, including Heartland, had passed their most recent PCI audits before being breached. “This is where I have a great level of concern, and I think this concern is shared by many folks,” says Roberts, whose duties at Southwest included oversight of card-acceptance matters, including security. Roberts says the ASC X9 already addressed card-related security issues before the card networks rolled up their individual security standards about five years ago under the PCI umbrella. “They went outside of that and created something new, which begs the question why,” he says. The PCI Security Standards Council, which oversees the PCI rules, did not respond to a Digital Transactions News request for comment. MAG, however, is trying to work within the system. It sought election to one of 14 seats open this spring on the PCI Council's Board of Advisors. MAG didn't win a seat, apparently because not enough people know about the group yet, Roberts says. In a separate development, Heartland's Carr is scheduled to discuss his company's breach Tuesday at the first meeting of The Financial Services Information Sharing and Analysis Center's Payments Processing Information Sharing Council in St. Pete Beach, Fla. The FS-ISAC is a non-profit forum for financial executives to collaborate on security threats, and the PPISC is a new sub-group initially restricted to processing executives who sign non-disclosure agreements. Heartland also is scheduled to release its first-quarter earnings report May 7. The processor surprised many observers at the time of its last earnings report by not setting aside reserves to cover breach-related costs such as reimbursing card issuers for replacing cards with compromised numbers and litigation. The spokesperson would not say if Heartland's next financial report would include a reserve. Visa recently removed Heartland and RBS WorldPay, another processor that also sustained at major data breach in the past year, from its list of PCI-compliant processors (Digital Transactions News, March 14). Heartland announced late Friday that it has passed its annual PCI audit and attained validated compliance, and that Visa would again include Heartland on its list of PCI-compliant processors beginning Monday.