PCI Updates Address Retail Breaches New Data Security Standards Take Aim at Merchant Vulnerabilities
PCI Updates Address Retail Breaches
Troy Leach and Bob Russo
Mitigating card risks associated with retail malware attacks and POS vulnerabilities is a focus of updates to the PCI Data Security Standard, say Bob Russo and Troy Leach of the PCI Security Standards Council.

Version 3.0 of the Payment Card Industry's DSS and the Application Data Security Standard will be issued in November. But during last week's PCI Community Meeting in Las Vegas, the council reviewed the updates and changes that the payments industry should anticipate, says Russo, general manager of the council.

"We were making updates based on feedback from our board of advisers and the PCI community at large," he says. "Key discussion topics have revolved around passwords and authentication requirements, as well as changes related to third-party risks."

A big focus of the updates in the standards - the first to be issued since 2010 - revolve around merchant and point-of-sale security, says Leach, chief technology officer of the PCI Council.

"We continue to see attacks directly against merchants using malware, and they're usually using two or three forms of malware in order to create the compromise," he says. "Malware will continue be a heavily emphasized point by the council."

In Version 3.0, third-party risks, the security breaches caused by the use of default passwords for POS hardware and software, and emerging mobile and cloud threats also are addressed, Leach adds.

Another component of the update, Russo says, is the United States' roadmap for compliance with the Europay, MasterCard, Visa standard, better known as EMV. "Multichannel retailers need to consider their entire structure, especially e-commerce environments," he explains. "EMV only addresses fraud in the brick-and-mortar environment.

During this interview with Information Security Media Group, Russo and Leach discuss:

  • How EMV will impact fraud migration and introduce new card fraud risks;
  • POS software vulnerabilities that continue to plague merchants; and
  • Why malware education for merchants is getting more attention.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization's efforts to improve data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. He works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI-DSS.

In his role as chief technology officer and lead security standards architect for the PCI Security Standards Council, Leach has developed and implemented a comprehensive quality assurance program to promote consistency within the council's QSA, ASV, PA-DSS and PED programs. Before joining the council, Leach led the incident-response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.

Around the Network