If you missed it, you can see a recording here! See what the Twitterverse had to say here by searching for #pcihearing. TONS of coverage on this.

First, I am very proud of our congress for putting this hearing together. It is clear how serious this situation is when listening to the prepared, pointed statements read in the beginning. I hope I don’t make anyone upset, but I do giggle a little bit when non-techie folks trip up on techie terms. I certainly expect someone would giggle at me if I were reading a statement of detailed medical terms and missed the words. Regardless, huge props for taking the issue on.

In the next paragraphs, clicking on the individual’s name will bring up their prepared, written transcript that is summarized in the briefing.

After the opening statements from Chairwoman Clarke and Chairman Thompson, Ms. Rita Glavin, Acting Assistant Attorney General, Criminal Division, Department of Justice spoke about her experience with card breaches and investigations. The committee had a few questions for her, but I don’t see a written transcript for hers or any of the later testimony. I’m pretty sure they had someone taking the entire text down, but I don’t see it posted.

Next, they welcomed up the next group of folks, starting with Bob Russo, General Manager of the PCI Security Standards Council. Bob did a good job of explaining what PCI is, and how the PCI DSS, PA-DSS, and PCI PED Standards work to protect cardholder data. He also re-iterated Visa’s general statement from earlier this month that no breached entity has ever been found to be in full compliance with the PCI DSS.

Up next, W. Joseph Majka, Head of Fraud Control & Investigations. His statements touched items such as the VISA Compliance Acceleration Program that is fining merchants today, and how VISA cooperates with law enforcement to assist in the prosecution of the bad guys. He also discussed the removal of RBS Worldpay and Heartland Payment Systems from the CISP Compliant List of Service providers. Looking back on it, I wonder if that action was done knowing that this hearing was on the horizon.

Following Mr. Majka was Michael Jones, CIO of Michael’s Stores. One of his statements was a little odd to me, the whole security policy question. I think that has been addressed by the council in the FAQ. If not, it has been discussed at length in various areas, and I believe he would have gotten a good answer from the Council if he submitted a question.

Mr. Jones also brought up the chargeback thing, and I’m really struggling with this. Unique approval IDs exist for every card brand as of last year, and we have been able to get EVERY one of our customers processing chargebacks from their banks WITHOUT storing the full PAN (yes, Hogan references this in his statement too… ugh). Next he makes an incorrect statement that PCI requires card data to be encrypted. PCI requires card data to be rendered unreadable, encryption being one of the many methods that can be implemented to accomplish this. His points on sending encrypted info to the bank is well taken, but again, he might need to push hard on his acquirer. Many acquirers or processors offer this. You can also protect card data in flight without dealing with acquirer specifics by using site to site VPNs or SSL tunnels.

Next, he insinuates that end to end encryption would have prevented several prominent breaches. I’m too close to those matters to say definitively on this blog; however, one point I will make is that end to end encryption only works if it is truly end to end. Internal network encryption that does not start at the PED has a great shot of being vulnerable to attack. How? We’re seeing attacks where hackers upload debugging software to POS controllers, or even terminals, and scrape memory. This means that they can see the information before the encryption routine occurs. Uploading this type of software to a PED device is much more difficult (if not impossible) to do, that is why the encryption must happen there.

Next, Mr. Jones talks about how SOX covers PCI. Some cases, yes, but not in the way it was presented. He makes it seem like SOX & PCI are big duplicates.

His next point talks about how the merchant ends up holding the bag in a breach scenario. He is absolutely correct here. What he fails to mention is that the merchant MUST comply with other regulations, not just PCI, and that it is the merchant’s choice to either 1) be responsible with the data they have, or 2) stop accepting credit cards. I know several merchants who have stopped accepting cards, or completely outsourced the processing of cards for this very reason. Sure it costs more, but think about it. That’s the compliance cost right there. Now you are not holding the bag, especially since I believe there is little or no brand damage suffered by a retailer caught in a breach.

Retailers DO have the largest financial impact, especially from fines from ADCR (Visa) or other recovery methods. Wow, he called the card brands Card Monopolists!

Next, Mr. Dave Hogan, CIO of the National Retail Federation. Ahh, Dave, Dave, Dave… I had really high hopes for his statement after he started off with some fantastic points. Maybe he fired his old writer? I won’t summarize everything, you can watch the video.

But then the propaganda started coming out. I disagree with his point about the standards constantly changing. They change on a set schedule of every two years, the last one actually relaxed several requirements from PCI DSS 1.1.

I want to point something out here… The “game is always changing” mode of thinking is ALL RELATIVE. I’ve seen merchants move mountains when it comes to reacting to the market, such as standing up stores in record time, moving products that are virtually guaranteed to sell to the front of the store, and slashing prices to compete with the down-the-street guy. Taking two (or more) years to implement a standard is certainly telling of where the focus is when you think about how quickly some companies react to market conditions.

It’s all about the mindset.

Lots of finger pointing here for sure from the merchant side, but arguably they have the most to lose.

Will PINs solve Hogan’s point number 2? No. The same systems are used for Credit & Debit, and companies will continue to expose the system’s flaws by storing said PIN data and having it subsequently breached.

I’m not going to summarize the entire Q/A, you need to watch it. Suffice to say, GOOD stuff in here. A couple of highlights…

Mr Lujan did miss one point that Bob was trying to make. In the fire inspector example, Bob was revealing a potential issue that can occur in how companies become compliant, maintain compliance, and potentially suffer a breach. Mr. Lujan pointed to the QSA (he used the term regulator, which can definitely be a problem), while Bob seemed to point to the merchant (which can also be a problem).

Hogan also did his whole thing about merchants being required to store cardholder data. I’ve said it before, this is total hogwash and I still can’t believe that he is spreading this nonsense. Every customer of ours has been able to address this with their acquirer such that they are not required to store this data.

Mr. Jones hits it right on the nose in this interchange. Merchants MUST work with their acquirer to accomplish this! If the acquirer is not doing their job properly, maybe it’s time to change to an acquirer that will (WHO MOVED MY CHEESE!??)!

One thing that I’m really worried about… Let’s say that the card brands “fix” the system, and make it hack proof. What will the bad guys attack at merchants next? If you want to look at the two competing problems here, problem one is that the payment system IS insecure. I don’t think you will find anyone that will disagree with that. Problem two is so much worse… many corporations are ALSO insecure!

Mr. Hogan mentions that companies replaced good security programs with new programs to cover PCI. PCI is NOT a security program, and was never meant to be one. That said, I would challenge Mr. Hogan to show me a good security program, pre-PCI, that is better than what merchants and service providers have now, post-PCI. If the old program was good, but replaced because of PCI, the company doing the implementation missed the mark.

Bigtime.

Regardless of the outcome, this was an extremely productive session, and I hope to see more testimony and more written statements from the committee and witnesses on this subject. I think that all of the panelists (yes ALL.. every one of them) showed a great amount of courage today standing up in a session like this and discussing serious issues with payment security, and I only hope that this leads to a better understanding of data and payment security.

You can be a victim, or you can be the victor. The path is up to you.

This post originally appeared on BrandenWilliams.com.