PCI Council Responds to Critics
Council's GM Says No Standards Changes Needed
In the wake of recent high-profile retail breaches at Target Corp. and Neiman Marcus, moving toward chip card technology that conforms to the Europay, MasterCard, Visa standard has been a hot topic of discussion.
The PCI Security Standards Council is supporting that move toward advanced card technology because the EMV chip is an extremely effective method of reducing counterfeit fraud in face-to-face payment environments, says Bob Russo, the council's general manager. "It provides protection against lost or stolen cards when deployed with a PIN," says Russo during this interview with Information Security Media Group (transcript below).
"The PCI security standards support the development of the EMV chip technology in conjunction with the PCI Standards as a multi-layered approach to protecting consumers' payment card data," he says. "This includes the use of technologies that reduce the amount of cardholder data in circulation and offers additional security protections, such as point-to-point encryption and tokenization."
During this interview, Russo discusses:
- Why the council won't modify standards in the wake of recent retail breaches;
- Why defining PCI "compliance" is a challenge; and
- How organizations can better incorporate security into their day-to-day business practices.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. He guides the organization's efforts to improve data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI-DSS.
PCI Under Scrutiny
TRACY KITTEN: In the wake of recent retail breaches, PCI has come under scrutiny. Why?
BOB RUSSO: Anytime there is a breach it really shines a spotlight on payment security, and its global impact on the ongoing challenge that we are having for protecting cardholders data. As the body that develops and messages the standards within card security, we're sort of at the forefront of this challenge. Simply put, the PCI standards recently is an excellent line of defense against criminals who are seeking to steal payment card data. While several recent high profile breaches have occurred and captured the nation's attention, great progress really has been made over the past seven years in securing payment card data through a collaborative cross-industry approach. We continue to build on the way that we protect this data on a day-to-day basis.
KITTEN: What concerns are you hearing from retailers as they relate to PCI and overall card security?
RUSSO: Certainly cardholder data continues to be the target of hackers. I hate to use the word target, but it does continue to be a big target. What we see from the most recent industry breach forensic reports is that retail is probably the number one target these days for criminals. A lot of the conversations and questions we're seeing are around EMV chip technology, and if or how this can prevent these large scale breaches. So the EMV chip is an extremely effective method of reducing counterfeit fraud in face-to-face payment environments, and provides protection against lost or stolen fraud cards when it is deployed with PIN. But securing payments really doesn't start and end with EMV; the EMV chip is an authentication technology that reduces fraud at the point-of-sale, not really an all-encompassing data security technology.
That is why the PCI Security Standards support the development of the EMV chip technology in conjunction with the PCI Standards, as really a multi-layered approach to protecting consumer's payment card data. This includes the use of technologies that reduce the amount of cardholder data in circulation, and offer additional security protections such as point-to-point encryption now and tokenization as well. These solutions certainly provide methods for devaluing the card data to make it, hopefully, useless to criminals and also eliminate unnecessary storage of this data at the merchant's site as well.
KITTEN: What about the perspective of banking institutions?
RUSSO: With payment card data compromise, everybody loses. The retailer, banks, consumer and card brands, so banks are certainly concerned with ensuring that this information is kept safe and that the customers and business partners they are working with are doing everything that they can to secure the transaction process. Again, right now there is a lot of discussion around the EMV chip and how different technologies can [be] deployed to devalue the data as part of that multilayered strategy for protecting and preventing compromise across all the different acceptance channels. We have a number of banks and financial organizations that are active participants in the work that we do here at the council, including developing our standards and process, and the PCI Standards certainly are developed and updated with their input. They provide the baseline for this multilayered approach to securing data.
Appeasing Banks and Retailers
KITTEN: How is the council working to appease both retailers and bankers, while also ensuring consumer protection needs are addressed?
RUSSO: That is a tough job. Protecting consumer data is at the heart of what the mission is at the council, which is certainly creating standards to keep payment card data secure. We believe businesses following these standards as the basis for their security programs are probably best positioned to keep their customer's data safe. Our focus continues to be around taking the feedback that we get from all of our constituents, including the banks and retailers, and using it to continue to develop and update standards that organizations across different industries and geographies can use as a baseline of security best practices. For example, based on this input, the PCI Security Standard version 3.0 that we just released addresses key challenge areas, such as the lack of education and awareness, passwords, third party security, and with changes that are aimed at providing the right balance of flexibility and rigor, as well as being consistent to the standard to help organizations make payment security part of their business as usual activity.
KITTEN: How have recent breaches spurred the PCI Security Standards Council to do more?
RUSSO: It's important to remember that the PCI DSS is a set of controls that really provides layered security, so no single requirement or product is going to be a silver bullet here. It is a defense in-depth approach that is really critical to making sure that this data is secure. We're constantly working with the industry stakeholders to enhance standards, and the recent release of 3.0 really reflects many of those updates. For example, breach reports were indicating that POS security, secure payment applications development, password management, working with third parties, and malware were key problem areas. We responded with updates to the Standard with the aim of providing just the right balance of flexibility, rigor, and consistency to help these organizations secure data and make security part of their day-to-day work.
Additionally, we're continuing to work on standards for use of these different technologies that reduce the amount of cardholder data in circulation and offer additional security protections that I mentioned earlier; point-to-point encryption and tokenization certainly are two of those. These solutions provide methods for devaluing card data and making it useless to criminals. Also, it eliminates unnecessary storage of the data on the merchant's as well. So the industry is out ahead of this looking for ways to keep improving the PCI Standards, and we believe that they are really a strong defense against these data breaches. There is nothing in the current publicly available information that tells us that the Standards need to be changed at this point.
KITTEN: Would you say that PCI is failing or is it just that retailers, integrators, and assessors are failing to adequately comply?
RUSSO: Comply is a tough word; this is really not compliant. This is really about good security, and ultimately good security leads you to compliance. As the most recent forensic reports indicate, the majority of the breaches happening are a result of some kind of breakdown in security basics for implementation and maintenance of controls. The PCI Standards cover these security controls. Incidents like these really highlight the need for businesses to build security into their day-to-day, or business as usual, practices. In the case of the PCI Standards, this is especially important that it does not become a once a year event, like people think of when they think compliance. When the compliance assessment is due, they study for the test, if you will, rather than making this part of their daily business as usual. So that is what we're trying to get them to realize that needs to be done right now.
Point-of-Sale Hardware Providers
KITTEN: What about the obligations of point-of-sale hardware providers?
RUSSO: There is really no formal obligations from PCI, but we certainly encourage that they have all payment capture mechanisms validated under our PCI Pin Transaction Security, or PTS, requirements and support the secure configurations of those. Specifically we're encouraging them to build devices to new PTS standards, and by new I mean the 4.0 requirements that we recently released, which has enhanced security built in PTS secure reading and exchange of data as an example. SRED encrypts cardholder data to encourage merchants really to use PCI point-to-point encryption solutions in conjunction with these SRED devices that encrypted the swipe.
KITTEN: What would you say the implications are for Windows managed devices with the expiration of XP?
RUSSO: In terms of PCI, the PCI DSS requirements 6.1 and 6.2 address the need to keep the systems up to date with vendor supply security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer by supported by the vendor or developers security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met obviously.
Asking Too Much?
KITTEN: Would you say that we're asking too much of retailers where security is concerned?
RUSSO: These cybercriminals we're seeing out there are relentless and more importantly, they are innovative. We in the security space need to be the same in our defenses. Recent breaches highlight the need for businesses, as I said, to build security into their business as usual practices. In the case of the PCI Standards, that is especially important that this really doesn't become a once a year event when a compliance assessment is due, but rather a daily occurrence.
KITTEN: How could Target's breach actually work to enhance PCI compliance?
RUSSO: Anytime there is a breach, there is an opportunity for organizations to evaluate their security programs. The fact that this is being highlighted on a day to day basis has got everybody thinking about it, and the strength of the PCI standards, as this multi-layered approach. As we move toward people thinking about EMV now, you can shore up defenses to keep your intruders out and manage the situation quickly if you see an intrusion. In addition, the requirements for POS security ensure that secure terminals with added protection from memory scraping are available in the market. So as people begin to retool and think about updating their POS devices, they should really look to our lists and see if they can pick one of the terminals that has been certified as PCI compliant, especially in light of the fact that some of these are old legacy terminals. As they look for the latest and greatest, they should look to our lists for version three and version four terminals.
KITTEN: Any final thoughts you would like to share about risk assessments or stronger enforcement of PCI compliance?
RUSSO: I mentioned earlier that a big part of this is education, and a lack of awareness was one of the key areas that were sited in forensic reports leading to compromises. In thinking specifically about your audience, there is definitely an opportunity for banks and acquirers to be educating their merchants, specifically around an importance of protecting that cardholder data, understanding what the responsibilities are, and in which they can reduce that cardholder data footprint.