Digital Transactions Authoritative, insightful and timely information for payments professionals
At a time when the security of personal financial information is in the news thanks to the recently disclosed computer breach at off-price retailer The TJX Cos. Inc., vendors that sell technology and services so merchants can meet the Payment Card Industry (PCI) data security standard have formed a group to spread the word about the standards. The new group, called the PCI Security Vendor Alliance, announced its birth this week. It currently has eight members but is likely to grow, according to spokesperson David Taylor, vice president of data security strategies at Stamford, Conn.-based Protegrity USA Inc., one of the founding members. In his job, Taylor consults with companies that have large amounts of data to protect to help them find ways to do that. The vendors, many of whom are rivals, came together because of common interests, according to Taylor. One is merchant education about how to meet the daunting PCI standards, which so far most merchants haven't fully implemented. Another is to give voice in the payments industry to vendors' key roles in supporting PCI. The major general-purpose card networks, Visa, MasterCard, American Express, and Discover, rolled up their individual security standards under the PCI umbrella in late 2004. According to Taylor, however, only two classes of vendors?certified assessors, which review a merchant's security systems for PCI compliance, and qualified scanners, or vendors that create PCI-related software systems for assessing security?currently have official status in the PCI world. That leaves out what he says “are hundreds of support companies” that sell security-related technology or services that in some manner involve PCI. “There's no certification of what we do,” Taylor says. The alliance met its deadline of launching a Web site, www.pcialliance.org, before the RSA Conference 2007, the nation's leading security-technology event, starts next week in San Francisco. Conference organizers expect 15,000 attendees, and the PCI group will have a presence at the show. The new group doesn't yet have an executive director or board of directors. Members already are interviewing association-management firms to possibly oversee the group when it gets bigger, according to Taylor. Besides Protegrity, the PCI alliance's first members include ConfigureSoft Inc., CyberArk Inc., Modulo Security, Proginet Inc., Reflex Security, SafeNet Inc., and VeriSign Inc. Meanwhile, the furor over the leak of card data at Framingham, Mass-based TJX continues to grow in the wake of its Jan. 17 disclosure. The Boston Globe reported today that Union Springs, Ala.-based AmeriFirstBank Inc. has filed a lawsuit in U.S. District Court in Boston against TJX and its merchant acquirer, Cincinnati-based Fifth Third Bancorp, owner of Fifth Third Processing Solutions. The suit, which seeks class-action status, claims 150 AmeriFirst-issued credit and debit cards were compromised in the breach and wants the defendants to pay the $20-per-card reissuance cost as well as cover fraud losses. Consumers already have filed several suits against TJX, the Globe reported. Also, U.S. Rep. Edward Markey, D-Mass., wants the Federal Trade Commission to investigate how the breach happened, according to the Globe. Markey is on a House committee that oversees the FTC.
