Sometime around Christmas, Megan Ney learned from her bank that someone else had successfully applied for a debit card in her name.
A few days later, she heard from Target that her debit card information had been stolen in a data breach. Ney believes the two episodes are related, though her bank and Target say they can't tell her for sure.
Ney, a 29-year-old oil and gas company accountant from Tulsa, Okla., shops less at Target now and often only with cash because she's still nervous about the data breach. She wants to know if Target failed to meet payment security standards and how it will be sanctioned if it was at fault.
"If I'm going to continue to be shopping there," Ney said, "I want to know that my identity and my banking information are protected."
But even as cyber threats grow in frequency and sophistication, the system for ensuring payment card security in the United States remains a closely guarded arrangement among the credit card networks that set it up, the banks that process payments for merchants and the merchants themselves.
No regulator ensures that companies meet minimum requirements for protecting data. No public database tells consumers which companies lost customer information through poor performance or neglect, or when and how much they were fined. Banks and credit card companies determine fault on a case-by-case basis through private contracts with individual merchants. Fines and the reasons for them remain sealed.
"It's this mafia monopoly. It really is," said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research. "It's a highly flawed process."
The Payment Card Industry (PCI) Security Standards Council, which sets the standards for protecting card information, was created by the world's five major card brands -- Visa, Discover, MasterCard, American Express and JCB (Japan) -- nearly eight years ago. Run by the card networks, the council doesn't collect information on compliance. It sets standards.
Enforcement lies with the individual card networks. Generally, when a merchant is out of compliance, the card companies fine the bank that processes the merchants' card transactions. The bank in turn fines the merchant. (American Express works directly with merchants, Litan said.) In the past, fines have ranged from $3,000 to $5,000 a month per merchant, escalating to as much as $100,000 a month after six months of noncompliance, Litan said. In the event of a breach, there can be more fines.
Major retailers such as Target undergo private audits annually by one of hundreds of companies that perform them. Target's chief financial officer testified in a hearing last month that Target was found PCI-compliant on Sept. 20, about two months before thieves began vacuuming up card data from its cash registers via malware.
Target's vast breach has stoked questions about the effectiveness of the PCI system. By at least one measure, compliance is a problem.
Globally, just one in 10 organizations fully comply with the PCI standards, according to Verizon's latest PCI Compliance Report on Feb. 11. But Verizon can only report on its own clients, and it works mainly with large and international organizations. The 11 percent full compliance rate that Verizon documented likely would be even lower if it covered small and midsize organizations, said Rodolphe Simonetti, head of Verizon's PCI practice.
In an interview, Simonetti called the 11 percent full compliance a "huge improvement" from 2012 but said "it should be better than that." He blamed low compliance on the difficulty of some of the requirements, and the fact that the standards are young and still gaining acceptance.