Gartner Blog Network

Fed Reserve Bank hack – don’t banks need PCI?

by Avivah Litan  |  November 21, 2010  |  3 Comments

Last week a Malaysian man was charged for hacking into the Federal Reserve Bank of Cleveland’s computer systems and for stealing more than 400,000 credit and debit card numbers.  Later on IDG News reported that the Fed said he only broke into a test Fed system and that the Fed doesn’t process card numbers so the card data couldn’t have been stolen there, nor was there any sensitive information stolen during the hack.

Whatever the case, it does remind me and probably many of you – that banks are not subject to PCI enforcement. Try to find a PCI related deadline for card issuing banks on the Visa or MasterCard websites and you will come up noticeably short.

I remember moderating a panel at a Federal Reserve Bank conference about two and a half years ago, with the card brands and major U.S. merchants present.  A treasurer at a top global merchant was noticeably irked when he asked the Visa rep on my panel when he could get a list of PCI compliant bank card issuers. The Visa panelist deflected the question.

It’s one of those parts of PCI enforcement that demonstrates the lack of a level playing field across banks, merchants, and merchant service providers. And its too esoteric an issue for Congress and the federal regulators to take on right now. They do seem to be making headway in breaking the secret circle and decision making process that dictates interchange fees, which should give merchants more power when it comes to payments.  It would be nice if the security part of the card payment food chain equation were fair as well, but don’t hold your breath.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on Fed Reserve Bank hack – don’t banks need PCI?

  1. […] This post was mentioned on Twitter by Jovi Umawing, Sergio Hernando and Uptime Devices, Avivah. Avivah said: Fed Reserve Bank hack – don’t banks need PCI? […]

  2. sorani says:

    Banks have to comply with PCI DSS as everyone who stores, proccesses or transmits cardholder data… nonetheless, I agree with you that they do not have to show compliance (as the rest of the World)… and now, happens this kind of things…

  3. Walt Conway says:

    Bank card issuers are indeed subject to PCI DSS. The difference is that the card brands (Visa, MasterCard) set rules for validation. They also have an ‘exemption’ of sorts in that banks are allowed to retain the security codes (CVV2, CVC2) since they need them to produce cards.

    I wrote about this issue ( which certainly is worth additional attention. There also is a PCI Council FAQ (#5391) on the subject.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.