Menu
US lawmakers call for data protection standards to avoid breaches

US lawmakers call for data protection standards to avoid breaches

Legislators push for US credit cards to include chip technology

The U.S. Congress should mandate that banks, retailers and payment card processors adopt new security standards to protect against widespread data breaches, some lawmakers said Wednesday.

In the wake of several high-profile retail data breaches, some members of the U.S. House of Representatives Financial Services Committee called for new cybersecurity mandates, with Representative David Scott, a Georgia Democrat, asking if Congress should require the U.S. financial industry to adopt new card security measures used in other countries.

The U.S. payments and financial system makes "things easy for fraudsters" by relying on magnetic-strip credit and debit cards instead of moving to EMV cards that contain integrated computer chips and require customers to enter PINs at the point of purchase, Scott said.

Congress is "anxious" to take action to stop data breaches, Scott said. During Wednesday's hearing, several lawmakers noted the data breach at retailer Target affecting up to 110 million U.S. residents. "Is there any reason Congress shouldn't mandate that payment card security standards use the most effective technology in the marketplace?" asked Scott. "I think this is a problem of soaring magnitude, and we're going to be in trouble if we don't get a handle on this."

Congress should mandate higher standards, but lawmakers shouldn't mandate specific technologies, said Edmund Mierzwinski, consumer program director at consumer group U.S. PIRG (Public Interest Research Group).

"We are still using a 40- or 50-year-old magnetic stripe obsolete technology," Mierzwinski said. "We are now starting to move slowly" to new technologies.

Banks and payment processors have said that moving to a chip-and-PIN card system will be expensive, requiring new card-reading machines at all retailers. Visa, MasterCard and others have announced plans to move to chip-based cards by late 2015.

Some lawmakers and witnesses called for a national data breach notification law, to supersede the 45-plus state laws now on the books. A national breach notification law would make it simpler for companies to comply with the requirements and simpler for consumers to understand the notifications, some representatives of the financial industry said.

But a national data breach law shouldn't preempt tough state laws, Mierzwinski said. And it shouldn't, as some backers of a national law have suggested, allow companies to avoid reporting a data breach if they don't believe thieves have gained access to personal information.

"Force companies that lost your information to tell us about it," he said.

Other witnesses called for security standards to come from private industry. The PCI Security Standards Council, an organization that develops payment security standards, already has payment processing standards in place, including a standard for using chipped payment cards, said Troy Leach, CTO at the council.

The U.S. government should focus on prosecuting cybercriminals and on encouraging threat information-sharing between businesses and government, Leach said.

The development of payment card standards is "something we are uniquely qualified to do," he said. "The recent breaches underscore the complex nature of payment card security. The multifaceted problem cannot be solved by a single technology, mandate or regulation."

Other lawmakers pressed representatives of the U.S. Secret Service and the U.S. Department of Homeland Security to more aggressively prosecute cybercrime. Representative Carolyn Maloney, a New York Democrat, questioned if the U.S. government was collecting enough information about the extent of cyber and payments processing crime.

"Who's keeping the data on how big of a problem it is in the United States?" she said. "It's huge, in terms of national security, financial security and economic security of our country."

The DHS is collecting as much information as it can, but businesses are not required to report data breaches, said Larry Zelvin, director of the DHS National Cybersecurity and Communications Integration Center.

"We still don't have the visibility on everything," he said. "It is still just a snapshot."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Troy LeachregulationU.S. Department of Homeland SecurityLarry ZelvinU.S. CongresslegislationU.S. PIRGgovernmentEdmund MierzwinskiDavid ScottPCI Security Standards CouncilCarolyn MaloneysecurityU.S. Secret Service

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments