PCI: New Approach to Merchant Security Training Addresses Security Gaps That Lead to Breaches
In the wake of recent merchant breaches, a new PCI training program aims to enhance point-of-sale security. Which payment card risks does this program address? PCI Council chair Bob Russo explains.

Russo, who serves as the general manager of the Payment Card Industry Security Standards Council, says the new Qualified Integrators and Resellers Program is taking aim at one of the most vulnerable security points in the payments chain - the point-of-sale.

POS attacks at merchant locations through the United States, from the Michaels craft store chain to restaurant chains Subway and Penn Station, have highlighted weaknesses in POS device installations and POS systems integration.

"The program was created specifically in response to incidents we see when a breach occurs after one of these guys does a poor job of installing the systems," Russo says. "Integrators and resellers really play a key role. So we're trying to fill the gaps."

Russo says most of these types of attacks can be traced back to remote-access portals that were either left open or were inadequately secured.

"Often this can be tied to one simple element: not resetting a factory default on certain equipment," he says. "And with this program, we'll be basically educating these installers on the best practices here and in other vulnerable areas during the installation of these applications."

The new QIR Program, as it's commonly referred, launches Oct. 1 and is being offered online. The council is hosting two webinars about the program - one Aug. 16 and the other Aug. 26 - to offer additional details about enrollment and training qualifications. More information can be found on the PCI Council website.

"The QIR Program will give merchants information that will help them ensure that the applications that are being installed are in compliance," Russo says.

Card issuers also should take interest, Russo says, since breaches at the merchant level impact them as well. "This program is being created to eliminate these breach concerns" and enhance payment card security.

During this interview, Russo discusses:

  • How the program is structured and why the council felt the time was right to launch the program;
  • Why the industry must engage and educate POS system installers and integrators about known vulnerabilities; and
  • How merchants and card issuers can benefit from the program.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.




Around the Network