Should there be PCI security requirements for bank account data?

Why don't PCI security requirements exist for bank account numbers? Avivah Litan, vice president and distinguished analyst at Gartner Inc., said she's long wondered about the dearth of an industry security standard for sensitive bank account data and posed the question in a recent blog post.

By enforcing PCI security requirements the credit card brands have done a good job at driving security awareness and system improvements by companies that process payment cards, Litan wrote. "I've often wondered why a similar bank consortium has not exercised the same muscle around the protection of bank account numbers and related data," she added.

Ultimately, the card brands like Visa and MasterCard behind the PCI Data Security Standard are very organized and there have been more breaches involving payment cards, but that may be changing with the rise in online banking fraud, Litan said in an interview. "If you ask the banks where the threats are, ACH and wire fraud are top of mind and both of those rely on bank account data," she said.

Federal officials have issued alerts about an increase in ACH and wire fraud hitting the banking accounts of small businesses, municipalities and nonprofits. The FDIC estimated losses from fraudulent EFTs in the third quarter of 2009 at about $120 million.

Online business bank accounts are under attack, but the fraud losses typically fall on the banking customer, which gives banks less incentive to enforce protections, Litan said.

"PCI was implemented to protect the credit card companies, not consumers. When it comes to banks protecting themselves against losses they do a good job, but when the losses are shifted to the customer, they're not as good at enforcing protection," she said.

Some enterprises have told Litan that they plan to implement security around bank account numbers and other sensitive data like Social Security numbers when they implement PCI security requirements for payment card data. In addition, outsourced payment providers like ProPay Inc. are beginning to offer tokenization of bank account numbers in addition to payment card data, she said.

Lehi, Utah-based ProPay recently announced that it added encryption and tokenization for Automated Clearing House (ACH) data -- bank routing and account numbers -- to its ProtectPay services. The offering, which company executives said is the first of its kind, allows organizations to conduct transactions on the ACH network without storing or processing bank account data. Using an online interface or API, ProPay captures and encrypts the ACH data, and returns a token to the organization.

"Once they have that token in their environment, they can use it for any normal business processes they have," said Ryan Oakes, ProPay vice president of product management. "If they need to pull up the last four digits of a routing or checking account number, there are API calls using that token to retrieve the last four digits, so they can display that in a customer service center and verify information. It still gives them the safety of removing the truly sensitive data out of their system."

The service is designed for any organization that stores bank account information, such as companies that conduct automatic bill payment or direct deposit, Oakes said. Some utility companies are already using the service.

Customers are expressing concern over ACH data in light of the surge in ACH fraud, ProPay CIO Mark Johnson said. Oakes said he expects a PCI-like standard to emerge eventually for ACH data.

Sid Pearl, global director of risk intelligence solutions management at Blue Bell, Pa.-based Unisys Corp., said FS-ISAC and other organizations could work with banks to drive development of a security standard for bank account data after building an understanding of exactly what's needed to protect it that includes taking the criminals' perspective into account.

A study released last month by Unisys showed that identity theft and credit and debit card fraud are top concerns for Americans. According to the latest results from the biannual Unisys Security Index, which surveyed more than 1,000 consumers, 64% of respondents are seriously concerned about identity theft and 62% are worried about credit and debit card fraud.

David Schneier, managing director of consulting firm R.I.S.C. Associates, said the banking industry already has a set of regulations to govern bank account information: GLBA.

"The problem with managing the inherent risks associated with account data is that institutions can only do so much and the information travels over many channels in the form of debit card purchases and ATM activity, which is one of the key drivers behind vendor management nowadays," he said.