Visa's Perez on Why PCI Still MattersEven With Shift to EMV, PCI Compliance Remains a Priority
Even though the U.S. is migrating to the EMV chip, Visa is still stressing the need for merchants to comply with the PCI Data Security Standard, says Eduardo Perez, the card brand's senior vice president of payment risk.
See Also: Taking Advantage of EMV 3DS
In this video interview at Information Security Media Group's recent 2015 Fraud Summit New York, Perez explains why PCI compliance is the best way to ensure payments networks aren't breached, while EMV makes breaching card data much less appealing.
"What we've seen in other markets that have deployed EMV chip technology is that those merchants that deploy the technology become less of a target for cybercriminals," Perez says. "Card data is devalued significantly as a result of EMV, and it really prohibits the organized criminals who are perpetuating these attacks against merchants to obtain that data, to sell it on the black market or to use it to perpetuate counterfeit fraud."
But EMV does not prevent breaches, he notes, which is why PCI-DSS compliance is so critical.
"Retailers need to remain vigilant in practicing good security hygiene and complying with PCI-DSS at a minimum," Perez stresses. "We continue to require entities to comply with PCI-DSS; that's another way that we are ensuring that large merchants, in particular, remain focused on protecting sensitive, residual data that may flow through their systems. And then what we also have promoted is merchants adopting other technologies, like encryption and tokenization, to protect residual data. Those technologies, in combination or in and of themselves, help to devalue data, which makes the likelihood of a breach less and the cost of a breach much lower for the affected institutions."
During this video interview, Perez also discusses:
- Ongoing risks point-of-sale integrators and resellers pose for smaller merchants;
- Why larger merchants should be just as concerned about protecting consumers' personal information as they are about protecting cardholder data; and
- Why emerging EMV-compliant mobile payments, such as Apple Pay, when used at the physical point-of-sale, are not considered card-not-present transactions.
Perez, who has been with Visa since 2002, currently leads the card brand's risk strategy and payment system cybersecurity teams. He's helped lead efforts to develop and execute industry risk and authentication initiatives to protect and devalue sensitive payment data and promote the long-term integrity of the payment system. Before joining Visa, Perez was with the Federal Reserve Bank of San Francisco's Division of Banking Supervision and Regulation, where he held various positions.