The Fraud Blog with Tracy Kitten

PCI Community Meeting: Timely Agenda

A Fresh Look at Card Security in Wake of Breaches

In the wake of point-of-sale malware attacks and subsequent card breaches we've seen plague retailers and bankers alike over the last 12 months, a fresh look at card security is clearly a necessity.

See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture

For its part, the Payment Card Industry Security Standards Council has taken steps in recent months to help businesses, especially smaller ones, shore up their POS defenses.

And at the Sept. 9-11 North American PCI Community Meeting in Orlando, Fla., I suspect much more will be discussed regarding the need for layers of security - a point the PCI Council has been preaching for the last three years.

Over the last nine months, since the Target breach, the PCI Council and federal banking regulators have stressed the need to closely monitor third parties, conduct regular and ongoing risk assessments and make investments in layered security features to protect cardholder data from the point of purchase to the point of settlement.

Yet, as the just-confirmed breaches of Home Depot and Goodwill Industries show, retail breaches persist, and data continues to be compromised.

For ongoing card data protection, the council has repeatedly stressed the need for EMV, tokenization and encryption. During the meeting this week, all three of those areas will be addressed by experts in the field, including Randy Vanderhoof, executive director of the EMV Migration Forum. I'll be meeting with Randy, along with other experts, to discuss exactly where the U.S. is in its migration strategy, and if the October 2015 liability shift for fraud that results from magnetic-stripe cards is one retailers are taking seriously.

But the council is dealing with a number of other issues, including how it can make the PCI Data Security Standard more viable for the merchant community. That, I suspect, will be a key discussion point during the conference this week, and it's one I'm keen to hear more about from merchants and the council.

This week's Community Meeting is the first since the recent release of version 3.0 of the PCI-DSS, which took effect in January.

Version 3.0 included significant changes. Many merchants, by their own admission, have been at a loss regarding where to even start their compliance efforts.

Having questions answered about what parts of the PCI-DSS should be their focal points will be key during the meeting this week. I hope we all walk away with more answers.

Times Have Changed

So much has changed since 2010, when I attended my last Community Meeting. Back then, we expected upticks in payment card breaches and fraud, but no one could have predicted the attack activity we've seen this year.

Today's attacks are targeted, sophisticated and have proved challenging for retailers to detect. These are no longer just skimming attacks or POS device compromises. They're network intrusions that require much more to mitigate than a mere migration away from mag-stripe technology.

All of the recent POS malware attacks, including those involving the use of Backoff and BlackPOS, which is suspected to have been used against Target, Sally Beauty, P.F. Chang's and Home Depot, will be hot points of discussion.

Have any questions you'd like answered during this week's Community Meeting? Post a comment below and let me know.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.