The recent data breach that compromised U.K.-based telecom company TalkTalk, potentially putting millions of European consumers' personal data at risk, illustrates that breach risk mitigation is a critical issue worldwide (see: TalkTalk Faces Ransom Demand).
Jeremy King, international director of the PCI Security Standards Council and a featured speaker at Information Security Media Group's Fraud Summit London on Oct. 27, says data security throughout Europe is getting more scrutiny because of an uptick in high-profile breaches, such as the intrusion TalkTalk revealed on Oct. 22 that may have exposed credit card and bank account information and other personal data.
While the perception among many European businesses is that data breaches are much more common in the U.S., King says that's inaccurate because breach disclosure requirements in Europe are much more lax than they are in the United States.
But the EU Data Protection Directive and the Directive on Payment Services will impose beefed up breach notification requirements once they eventually go into effect, King explains during this interview with ISMG.
"Recent high-profile breaches clearly have shown that breaches don't just happen in the USA," King says. "Regulators in Europe are getting tired of these breaches. ... We are still fighting a major battle against the cybercriminals, and organizations need to take this seriously. Criminals are finding their way in. And once they're in, they can get access to a lot of very valuable data."
Unencrypted Data A Worry
In announcing its breach, TalkTalk revealed that some of the data that was exposed was not encrypted.
King says the exposure of unencrypted data has become all too common in many of the recent European breaches. While many organizations have worked to shore up their card security practices by conforming to requirements laid out in the PCI Data Security Standard, they've failed to apply those same kinds of safeguards to other consumer information, he contends.
"All data needs to be protected," King says. "And our standard is applicable to all data security. ... If you don't need it, don't store it. And if you do need it, encrypt it."
Although the PCI-DSS does not specifically address personally identifiable information, the same processes and procedures laid out in the PCI-DSS for card security apply to other data protection, too, he points out.
The PCI Council plans to stress this point as European businesses gear up for more stringent data security and breach requirements, King adds.
"Organizations should start preparing now," he says. "It will take time to really look at these [new] standards and work out how they're going to impact your organization."
During this interview (see link to audio below photo), King also discusses:
- Why Europeans are not well-informed about breaches;
- Key points that he plans to focus on during his presentations at ISMG's Fraud Summit on Oct. 27 and the PCI Council's EU Community Meeting in Nice Nov. 3 through Nov. 5; and
- How the number of data breaches reported next year in Europe could skyrocket because of new disclosure mandates.
To learn more about ISMG's Fraud Summit London, visit the summit registration page.
King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI-managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.