PCI Council Responds to Critics

Council's GM Says No Standards Changes Needed

By , February 3, 2014.
PCI Council Responds to Critics
Bob Russo
Read Transcript

The PCI Security Standards Council has no plans to modify its standards for payment card data security in response to high-profile payment card breaches at Target and Neiman Marcus, says Bob Russo, the council's general manager.

"As the most recent industry forensic reports indicate, the majority of the breaches happening are a result of some kind of breakdown in security basics - poor implementation, poor maintenance of controls. And the PCI standards [already] cover these security controls," Russo stresses in an exclusive interview with Information Security Media Group.

"Incidents like these really highlight the need for businesses to build security into their day-to-day practices. In the case of the PCI standards, it's especially important that it does not become a once a year event like people think of when they think of compliance."

Questions Raised

In the wake of recent breaches, the efficacy of PCI-DSS in protecting cardholder data has been called into question by some experts. For example, Avivah Litan, a financial fraud expert who's an analyst with the consultancy Gartner, says PCI standards are "a failure."

Litan says merchants and payments processors have invested heavily in PCI compliance but still have been breached (see Retailer Breaches: A PCI Failure?).

But Russo stresses in the interview that the just-released version 3.0 of PCI Data Security Standard, which took effect Jan. 1, already addresses point-of-sale malware risks, such as those blamed for the breaches at Target Corp. and Neiman Marcus.

He also says the new version of PCI-DSS deals with many of the concerns about processor and third-party vulnerabilities that have been raised in the wake of recent breaches (see PCI Update: Focus on Third-Party Risks). Thus, issuing an update or addendum to the standard would be redundant and unnecessary, he contends.

"Simply put, the PCI standard is an excellent line of defense," he says.

Russo also points out that PCI-DSS is "a set of controls that calls for layered security. But nothing is going to be a silver bullet here."

Need for Collaboration

Some other security experts point out that it's not the job of the PCI Security Standards Council to enforce merchant or banking institution security. What's needed, they say, is more industry collaboration among retailers, banking institutions, the card brands, processors and law enforcement regarding sharing information on cyber-attack trends and emerging card fraud trends. And that collaboration should be a long-term focus, rather than merely focusing on PCI compliance.

Russo says the council's No. 1 goal for 2014 is to enhance and encourage security education among retailers, POS hardware and software providers, and any third party connected to payments transactions.

"A big part of this is education," Russo says. "And there is opportunity here for banks that are issuers and acquirers to educate their merchants."

Research increasingly proves retailers are cybercriminals' primary targets for card compromises, he acknowledges. And when payment cards are compromised, whether by the fault of the retailer, the card issuer, the processor or some other third party, "everybody loses," he adds.

That's why banks and credit unions must play a lead role in helping to ensure, through education, ongoing security at the merchant level, Russo says.

"Anytime there is a breach, it really shines a spotlight on payments security," Russo says. "Great progress has really been made over the past seven years through a collaborative, cross-industry approach."

During this interview, Russo discusses:

  • How enhanced card technology, such as the Europay, MasterCard, Visa chip standard, could make a difference;
  • Why defining PCI "compliance" is a challenge; and
  • How organizations can better incorporate security into their day-to-day business practices.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Preventing Email Breaches

In addition to providing training, healthcare organizations should consider implementing technology...

Latest Tweets and Mentions

ARTICLE Preventing Email Breaches

In addition to providing training, healthcare organizations should consider implementing technology...

The ISMG Network