PCI: Impact on Mobile Commerce

European PCI Director Says New Tech Creates New Challenges

By , July 5, 2013.
PCI: Impact on Mobile Commerce

New payments technology, such as mobile and emerging e-commerce transactions, is posing security challenges and more hurdles for compliance with the Payment Card Industry Data Security Standard, says PCI Security Standards Council European director Jeremy King.

See Also: Actionable Threat Intelligence: From Theory to Practice

"The biggest challenge going forward is new technology, new technology, new technology," says King during an interview with Information Security Media Group [transcript below].

The PCI Council is seeing exponential growth in mobile commerce rollouts, but card security has often been an afterthought, he says. To address emerging risks, the council is working with expert groups to identify adequate security solutions for these new technologies, King says.

"[There are] lots of challenges over and above just the standard ones of not storing the data if you don't need it," King says. "Trying to improve weak passwords around the place, and trying to improve the overall security of integrated software," also have to be considerations, he adds.

As the council expands its international reach, with a new board of advisers that for the first time includes representation from every major global card market, King says the payments industry is now well-positioned to address card security.

"We have new representatives coming on from Africa and the Middle East, to join the representation we have from the United States, Europe and Asia," he says. "Now we can get a true global perspective about what the challenges are and what is working."

During this interview, King discusses:

  • How small merchants throughout the world are being targeted by malware and other attacks that compromise card data;
  • Steps the council is taking now to address PCI DSS updates to be issued later this year;
  • How emerging payments and technologies are impacting PCI compliance.

King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs.

International Challenges

TRACY KITTEN: What are some of the card-security challenges you're seeing internationally?

JEREMY KING: I think your question is really spot on when you say "unique challenges." Everybody has their own particular issues and concerns that affect their organizations. But I think there are some common challenges which cross the boundaries and cross the boards that I think, with the help of our community, the PCI Security Standards Council is addressing.

Unfortunately, the criminals are still finding it too easy to break into everybody's systems. If you look at the latest Verizon security breach report and [other] reports, all of them showed that poor passwords or weak passwords were the number-one challenge we have to address. At a recent conference I was speaking at, I said this isn't low-hanging fruit. This is fruit that's lying on the floor waiting to be picked up. Unfortunately, that's what the criminals are doing. The criminals are finding it easy to break into people's systems.

The next big topic is poorly installed software or poorly integrated software. For an issuer or anybody in security doing the transaction process, you can have the best security programs in the world, but if you install software badly or have it integrated poorly, there's a case of not knowing what you don't know until you're breached. The PCI Council last October rolled out their QIR program - Qualified Integrated Reseller - to help train integrators and resellers to be able to securely install software, try and remove some of these unknowns and try to improve the issue of weak admin passwords and weak user passwords. Those are some of the things that are really raising issues on a global market.

Markets Impacted by Breaches

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Sees Need for Encryption Backdoor

President Obama says he sees the need for law enforcement to gain access to terrorists' encrypted...

Latest Tweets and Mentions

ARTICLE Obama Sees Need for Encryption Backdoor

President Obama says he sees the need for law enforcement to gain access to terrorists' encrypted...

The ISMG Network