Mike Mitchell, chairman of the Payment Card Industry Security Standards Council, says addressing security risks in the emerging mobile payments space is a top priority for PCI leaders.
And it's not just mobile the PCI Council is focused on. In fact, Mitchell says all emerging technologies - from point-to-point encryption to tokenization - also are topping the list, as compliance and training plans for 2012 ramp up.
"We have special interest groups that will be looking at how to take a risk-based approach to the next level," Mitchell says in an interview with Information Security Media Group's Tracy Kitten [transcript below]. To get there, those groups are addressing payments security concerns for merchants, financial institutions and others that have to comply with the PCI Data Security Standard.
Because of its increasing adoption and growth, mobile is posing increasing concern in the payments space. And the council will inevitably have to address some of those new security risks, says Bob Russo, general manager of the council.
"The adoption of mobile is running rampant, and when it comes to using personal mobile devices, people have not thought about all of the security," Russo says. "We have a task force looking at this, and in 2011 we issued some guidance. This year we will be issuing some best practices."
Mobile payments have the potential to transform the industry. "But with that potential are increased risks and increased vulnerabilities," Mitchell says. "We want security to remain at the center of the payments evolution," which means organizations have to address mobile risks proactively.
Addressing security concerns surrounding mobile, and other emerging payments options, with risk in mind is a given. For the council, mobile security is requiring a deeper review of the security advantages provided by the Europay, MasterCard, Visa standard. How can EMV improve the security of mobile payments?
During this interview, Mitchell and Russo discuss:
- How the PCI SCC is working to evolve its outreach and educational strategies to improve and enhance understanding about the PCI-DSS;
- How end-to-end or point-to-point encryption and tokenization will complement payments security and encourage ongoing PCI compliance;
- Why EMV cannot replace the need for PCI compliance.
Mitchell is the vice president of global network operations for merchant data security at American Express. With 15 years at AmEx, Mitchell has extensive experience managing global processes and programs designed to improve payment security. In his current role, he oversees information security policies, risk management functions and global compliance operations.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.
TRACY KITTEN: Mike, can you tell us a bit about your role and a bit about your background in payments?
MIKE MITCHELL: I've been associated with the council for approximately five years, since it was launched in 2006. I've served in different capacities - technical, management, operational - and I'm absolutely thrilled at the opportunity to be serving as a chair person of the council in 2012. I'll be helping to guide the council and it's interactions with the industry and the merchants in the market place that we serve in 2012 to accomplish some key objectives.
Additionally, I'm employed at American Express where I'm the vice president of global data security. My role there is to ensure the secure processing of American Express payment data throughout the entire transaction lifecycle. I have global responsibility for information security, policy, compliance operations, and previously I've held different positions within the company related to IT security to help protect against threats and vulnerabilities and put in place some operational capabilities to monitor security as well.
As I look ahead in 2012, the reason I'm so excited about my role as the chairperson is we've got some really phenomenal objectives we want to achieve this year. 2012 is what we refer to as a feedback cycle year where as part of our standard's lifecycle management process, we work very closely with our membership to receive their input and feedback on the standards themselves to help us enhance and modify and improve those standards.
In addition to that, there are a number of key initiatives that are being performed by special interest groups and they'll be looking at some of the top priorities for our members around how to protect payment data in the e-commerce space, cloud computing, and how to take a risk-based approach to the next level.
In addition to that, the council is continuing to look very closely at some new technologies for processing payments such as point-to-point encryption and tokenization and how we can use those to provide more solutions to the marketplace.
Then lastly, we're very excited to be involved with our members on the additional front in expanding I would say our global footprint across the regions in the different market places in which we serve.
KITTEN: The council has said that it expects to address some emerging payment security concerns, and you've touched on some of those Mike in 2012. One of those concerns relates to evolving payment risks posed by mobile. Bob, I thought you might be able to speak to this a bit. As general manager of the council, could you tell us why the standards council has mobile on its radar?
BOB RUSSO: As you're probably well aware, the adoption of mobile's running rampant. Everyone wants to take advantage of this new technology and certainly when it comes to using personal mobile devices, the adoption has gone so quickly that people have not really worried about the security part of it because they want to get it into their environments very, very quickly. We currently have a task force that we've got in place consisting of a number of experts out in the field as well as people from the card brands and people from the council that's exploring really how to effectively secure this card holder data in this particular environment because it's a rather complicated environment with a lot of moving parts.
In 2011, if you remember, we issued some guidance on the types of applications that can allow merchants and service providers to accept and process payment cards in a PCI compliant manner, and this year we will be releasing best practices for these mobile application environments based on the information that we get from these task forces.
KITTEN: Mike, I wanted to ask you about technology changes or concerns that you see in the mobile payment space.
MITCHELL: It's probably one of the most exciting things in the payments industry in a long time. Mobile payments has the potential to truly transform our industry and with that potential is also the potential of increased risk and increased vulnerabilities, and I think these are the types of things that everybody involved in the payments industry should be aware of and should be putting that right at the center of developing these new payments solutions and these new payments-processing capabilities in that mobile infrastructure.
We realize that there are a lot of organizations out there that are essentially experimenting and doing trials, and there are new pilots and prototypes that are emerging. So the council is watching this very, very closely and our role is to make sure that security stays at the center of that payments evolution. I think some of the most important things to be focused on is ensuring the integrity of the data and ensuring that we've got the proper controls in place as we go forward, and understanding what underlined dependencies are to make sure that we've got security in the operating systems, we've got security upstream in things like the trusted service manager, and the council will continue to focus its efforts in ensuring that there's security in the acceptance devices.
KITTEN: I wanted to ask about mobile wallets. How do you see mobile wallets affecting some of those security concerns?
RUSSO: Certainly mobile wallets are something that everybody wants to use these days. It's important that your listeners understand that there's a big difference between what a consumer-facing mobile application like a mobile wallet is and those mobile payment-acceptance applications that are used by merchants to actually accept credit cards. The standards address the payment applications that are used specifically by merchants to accept and process those credit card transactions. NFC, or near field communication, within the mobile device such as the mobile wallet is really focused directly at the consumer rather than the merchant environment. There are really other standards like these out there like GSMA and EMV that have requirements in place and are continuing to put requirements in place in this particular order. As the environment or the council relates to mobile phones being used as a terminal to take payments and more importantly the applications that are actually running on those mobile devices - that includes storing card holder data and details - we currently again have a task force in place that is exploring specifically how to effectively secure this data on those devices.
E-Commerce, Security, Cloud Computing
KITTEN: Mike, you've talked a little bit about some of the new guidance that's related to e-commerce, security, cloud computing and risk assessments that the council says it plans to issue in 2012. But could you just give us some of the highlights, or the top concerns, that you expect the council to address in those three areas specifically?
MITCHELL: These three areas are an example of our membership [coming] together to form these special interest groups, and I have to tell you that our membership and their input on these priorities are absolutely vital to our success in understanding what's going on in the marketplace to give them an opportunity to bring their real life experiences as well as their industry expertise to these topics. This really is a situation where the community has come together. They have had an opportunity to tell us what's important to them. We have listened. The community actually voted on these and chose these as the top three priorities, so the actual output and deliverables from these special interest groups are dependent upon the work that's done by our membership. It's dependent upon the guidance that they develop themselves in these forums. So if you look at the past output that we've received from the special interest groups, which includes information supplements on point-to-point encryption, which has now become a top priority for the council, as well as tokenization as a new payment technology, and some additional guidance on anti-skimming and wireless networks, you can see that we're really expecting some quality deliverables in 2012. We're very excited to see what they come forth with.
KITTEN: Now much has been said about the U.S.'s move to chip payments that meet the commonly used global EMV standard. Bob, I would like to ask you how you see EMV assisting with PCI compliance or the need to conform to certain PCI standards. Where does EMV fall in that line?
RUSSO: First of all, let me say that we think that EMV is a wonderful technology. It's been used for over ten years now in other parts of the world, specifically Europe, and it's specifically for authentication and when it comes to face-to-face fraud in a face-to-face environment it's been a wonderful, wonderful tool and it's helped there. However, we have to make sure that people understand that EMV alone really isn't enough. PCI-DSS and EMV together are really what you need to protect the cardholder data that's out there. We've actually delivered some guidance documents on EMV last year which are available on our website, and in conjunction with PCI standards make it very, very effective not only in a face-to-face environment but in a card-not-present environment. These are multi-channel and as you well know there are no pure EMV or one-size-fits-all EMV environments out there. Most of the EMV environments out there are some hybrid form of taking both mag-stripe and EMV. So the combination of PCI-DSS and EMV is a really, really powerful tool against fraud.
KITTEN: Then what about EMV's impact on mobile? We've talked a lot about mobile. How do you see EMV and mobile connecting as it relates to PCI compliance?
RUSSO: I have to go back to the EMV organization who are doing a lot of work in this space and certainly the PCI Security Standards Council is looking to partner where the same technology is used for both acceptance and issuance. EMV provides yet an additional pad in conjunction with point-to-point encryption to allow mobile acceptance to happen at a much, much lower risk.
KITTEN: Mike, how do you see the standard evolving and or changing over the next year when it comes to PCI compliance related to EMV?
MITCHELL: What I can say is that as we look to the future, we're going to continue to listen to our membership. As I mentioned earlier, they're absolutely vital to our success and critical to us understanding their needs and requirements input from the marketplace, but what we know today that's important to them are the areas of e-commerce and cloud computing, but we also know that mobile is at the forefront as well as other technologies like encryption, as well as multiple forms of card-not-present payments. We believe security is going to be at the center of the evolving payments industry and we'll continue to be there to support our membership.
Education on Top Technology Areas
KITTEN: When we talk a little bit about the educational opportunities that the council is offering, where do you see the council assisting as far as education goes when it comes to changes related to PCI and EMV and then some of the other things we've talked about, such as tokenization?
RUSSO: Most of your listeners know that we're on a three-year lifecycle in terms of our standards and how we put out guidance on those as well and it's a pretty transparent lifecycle that really provides a good view into what's going on and how we're making changes or updates to the standards. As Mike said, we're in a feedback period right now and I know from the last time we updated the standards; we shared what we called a "summary of changes" quite a few months before we actually released the standard. Then we published the standard a few months after that giving everybody the opportunity to have a look at what was coming down the pipe and the opportunity to comment on it.
In our community meetings, which we now have three of during this cycle, we have the ability for them to comment on what's going on. We gave them an entire year to implement the standard and that gave them the opportunity to formulate more questions on it, understand what was going on it and again being very transparent here. But I think the biggest thing your listeners have to understand is that our participating organization group, which is about 650 strong now, is the best way to get really good insight as to what's going on with the standard and more importantly have a say in what's going on with the standard. I would encourage you to let your listeners know that this is the best way for them to participate here, and we would love to have the most participating organizations and certainly if they're interested in helping with this or getting more involved with the standard and helping evolve it going forward, they can get this information on our website to join.
Advice to Businesses, Banks
KITTEN: Before we close, I wanted to ask both of you what advice you could offer to businesses and banking institutions that would help them prepare for changes coming in 2012. It sounds like getting involved is maybe the first step.
RUSSO: Certainly that's one of the first steps. Training of course is very, very important. Education is always the biggest issue that we face here, and of course the council now has many, many training programs that we're putting out there for people not only in the face-to-face environment or in a classroom setting, but also on computer-based training. [It's] the ability for people to learn about these standards and get more involved. There's awareness training, which is a very high-level training and I think it comes back to education on this. All the information is out there. You need to avail yourself of the opportunities to find out about it, and now with CBT [computer-based training] it's much easier to do right in the comfort of your own offices.
I would encourage your listeners to again go to the website, check the training schedules and check what we have. We're expanding our training offerings this year enormously so there will be things coming out and there will be opportunities not only to come to this training, but also again I'll go back to participating organization benefits to come to the community meetings that we do every year which are really, really good training events, [along with] the ability to network with your peers and find out what's going on in your particular vertical. People are now uniting against the bad guys, if you will, and people are sharing information on what they're doing in their specific industry to protect themselves. So [it's] a very, very good opportunity to network with your peers and find out what someone else's doing.
MITCHELL: There are a number of tools and capabilities that the council has developed over the years that I think are extremely valuable that could benefit your constituent's listeners and audience. It includes things like self-assessment questionnaires. It helps the banking institutions in their merchant portfolios understand [if] they're PCI compliant. What does their individual journey toward compliance look like? In addition to that, there are templates and tools that will help them understand how to prioritize their efforts if they're not yet PCI compliant. There are also some additional information supplements there that they could read and get much smarter about PCI and what it's about. [There's] lots and lots of good information available on the website.