The Future of PCI
European PCI Director Says Retail Networks Too Easy to Breach
New payments technology, such as mobile and emerging e-commerce transactions, is posing security challenges and more hurdles for compliance with the Payment Card Industry Data Security Standard, says PCI Security Standards Council European director Jeremy King.
"The biggest challenge going forward is new technology, new technology, new technology," says King during an interview with Information Security Media Group [transcript below].
The PCI Council is seeing exponential growth in mobile commerce rollouts, but card security has often been an afterthought, he says. To address emerging risks, the council is working with expert groups to identify adequate security solutions for these new technologies, King says.
"[There are] lots of challenges over and above just the standard ones of not storing the data if you don't need it," King says. "Trying to improve weak passwords around the place, and trying to improve the overall security of integrated software," also have to be considerations, he adds.
As the council expands its international reach, with a new board of advisers that for the first time includes representation from every major global card market, King says the payments industry is now well-positioned to address card security.
"We have new representatives coming on from Africa and the Middle East, to join the representation we have from the United States, Europe and Asia," he says. "Now we can get a true global perspective about what the challenges are and what is working."
During this interview, King discusses:
- How small merchants throughout the world are being targeted by malware and other attacks that compromise card data;
- Steps the council is taking now to address PCI DSS updates to be issued later this year;
- How emerging payments and technologies are impacting PCI compliance.
King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs.
TRACY KITTEN: What are some of the card-security challenges you're seeing internationally?
JEREMY KING: I think your question is really spot on when you say "unique challenges." Everybody has their own particular issues and concerns that affect their organizations. But I think there are some common challenges which cross the boundaries and cross the boards that I think, with the help of our community, the PCI Security Standards Council is addressing.
Unfortunately, the criminals are still finding it too easy to break into everybody's systems. If you look at the latest Verizon security breach report and [other] reports, all of them showed that poor passwords or weak passwords were the number-one challenge we have to address. At a recent conference I was speaking at, I said this isn't low-hanging fruit. This is fruit that's lying on the floor waiting to be picked up. Unfortunately, that's what the criminals are doing. The criminals are finding it easy to break into people's systems.
The next big topic is poorly installed software or poorly integrated software. For an issuer or anybody in security doing the transaction process, you can have the best security programs in the world, but if you install software badly or have it integrated poorly, there's a case of not knowing what you don't know until you're breached. The PCI Council last October rolled out their QIR program - Qualified Integrated Reseller - to help train integrators and resellers to be able to securely install software, try and remove some of these unknowns and try to improve the issue of weak admin passwords and weak user passwords. Those are some of the things that are really raising issues on a global market.
Markets Impacted by Breaches
KITTEN: Retail and processor breaches have been garnering attention in the United States. Are other markets facing similar breach risks?
KING: It's fair to say that all markets around the world are, unfortunately, suffering these types of breaches. When you look at the recent reports, we're seeing an increasing number of these breaches being related to organized criminal gangs. I have to say the organized criminal gangs are exactly what the words say; they're organized and they're sharing their techniques and processes which they're using to breach people's systems. I guess it's no surprise that we're seeing similar types of attacks being used around the world.
I think what you're seeing there is really one of the highlights with our new board of advisers that we're just announcing. By having the community involved very closely with the council, then we begin to see and hear from them what the challenges are and what the issues are they're facing. From that information, we can start using that to help drive and derive guidance.
Starting this year, we saw the launch of our guidance documents from the help of our special interest groups, which covered key topics like e-commerce, cloud and risk assessment. That really did help us tackle some of those breaches that we were seeing. But I think going forward this year, we've already seen that our theme this year is focusing on third-party processes, which gives you some indication that people are worried about the relationship between the merchants and the third-party provider, and are there weaknesses that the criminals are exploiting. In your recent article on the macro attacks, you highlighted where some of these attacks could be taking place and how the criminals could be getting into people's systems. It's important that we see this as a global issue where PCI standards address the problem.
Addressing E-Commerce, Card-not-Present Fraud
KITTEN: What steps is the PCI Council taking there to address card-not-present fraud in EMV-compliant markets?
KING: When I first joined the council as European director back in 2010, making Europe aware that by itself EMV isn't the cure-all for the state of security was one of the key tasks we had. With the help of our board of advisers they had at the time, we wrote a paper called "PCI-DSS Applicability in an EMV Environment," and this really shows you why you need PCI as well as EMV if you want to get the best levels of security. It's a paper I would absolutely recommend all of your readers and the listeners of this podcast to download from our PCI website because EMV is great at curing face-to-face transactions and reducing face-to-face fraud, but, as you highlighted during the introduction, it doesn't cover card-not-present because you're not using the benefits of the chip technology. You're relying on the cardholder name, the PIN and the expiry date, and these elements are available through people's systems, which links us back to the first point that you raised, which is why the criminals are trying to break into people's systems. [It's] because if they gain this information, they've got the information they need to be able to undertake card-not-present fraud. Adopting and deploying the PCI-DSS and fully incorporating PCI-DSS and PA-DSS into your systems are the best way to tackle card-not-present fraud.
Card Security Challenges Globally
KITTEN: Are there common payment card security challenges you see shared among the U.S. and other global markets?
KING: Yes, absolutely. The biggest similarity and the biggest challenge going forward is new technology, new technology, new technology. As fast as we're gaining and driving security, there seems to be a new payment technology, technique or method coming online. Whenever you get new technology, you get new security challenges and new ways that criminals can break into your systems, which means this is an ongoing problem for everybody. Just to give you a couple of examples there, we're seeing a tremendous rollout or an increased involvement or interest in mobile commerce, and the PCI Council is really working closely with any and all expert groups to see how we can ensure the security of mobile commerce.
We're seeing that merchants are now wanting to bring their e-commerce, as we just talked about, and their face-to-face environment together so that if a customer goes into their shop and wants to buy some new clothes but they don't have the right size or the right color, then you can use their kiosk to be able to order the clothes in the size or color that you want. We've now got the face-to-face and e-commerce data being mixed up, and once we've tried to remove the data from the natural store, similarly with the kiosk, we're bringing it back together.
Around this we're doing it in new standards and requirements from the Council, such as our point-to-point encryption, which is all about trying to remove cardholder data from the store, and yet kiosks that we're seeing are bringing it back in. [There are] lots of challenges over and above just the standard ones of not storing the data if you don't need it, trying to improve weak passwords around the place, and trying to improve the overall security of integrated software.
KITTEN: What updates to the PCI-DSS might we expect to see issued later this year?
KING: That's a really great question, and it's the question that everybody wants to know and the question I get asked all the time. The truth of the matter is that I don't actually know at the moment. I think that the new standards have to be sort of seen in the same way as choosing a new pope. They all go off and sit in a room with closed doors and discuss the actual changes, and it's not until we see the white smoke coming out of the chimney that we know exactly what the final document looks like, and that's exactly what happened. Our technical working group closed [themselves] off and is doing the updates. In general terms, the feedback that we got from our community was "we understand the standards; we're comfortable with the standards; they're working very well; please kind of keep steady as she goes." That's how we envisioned it. It's going to be steady as she goes.
New PCI Council Board of Advisers
KITTEN: How is expanded global participation expected to enhance the effectiveness of the PCI-DSS?
KING: This is what I'm really excited about with the new board of advisers that's come onboard. We've brought in new representatives from Africa and from the Middle East to build on the representatives that we've got from North America, South America, Europe and Asia. We've now got true global representation. That is essential because what we are - and I say this all the time in conferences - is a community and we work at our very best as a community because we need to know from our community what the challenges are. We need to know where are the PCI standards working well and what are the changes and improvements that we need to make. That really reflects in all of the questions you've given me today and all of the answers. We work closely with our organizations, with our participating organizations and, going forward, with our board of advisers to look at these issues to see how we address them. A lot of the issues that you've raised there I will expect our new board to bring with them to the first meeting, and it fits a lot of our concentrations on how we're going to tackle these issues about improving the security for merchants and how to prevent criminals breaking into the system.
For the first time, we've actually got a representative for small merchants with the Retail Solutions Providers Association coming onto the board. Now we're really getting into import into the small merchants, and we're seeing around the world that the small merchants are those people who are being targeted by the criminals. It really does get us into all of the areas throughout the transaction process, throughout the world, and that's an absolutely fantastic thing. I'm really looking forward to the first meeting of our new board because that means our standards will remain applicable, appropriate and up-to-date, and that's essential in this ongoing fight against crime.