PCI's Russo on State of Retail SecurityWhy POS Security Must Go Beyond PCI Compliance
"Compliance does not equal security," says Russo, general manager of the Payment Card Industry Security Standards Council, during an Interview with Information Security Media Group. "Even with the best standards in place, these criminals are persistent in their attacks ... and businesses basically have to be defensive in their protections."
Russo says security has to be part of everyday business. "We have to change the conversation in the board room," he says. "Businesses basically have to be defensive in their protections. This has to be a daily priority."
It's been nearly seven months since news of the payments breaches at Target Corp. and Neiman Marcus made headlines and questions about the efficacy of the PCI Data Security Standard started to garner more attention.
Now, the just-confirmed breach at restaurant chain P.F. Chang's is renewing worries about card risks, and is likely to put more public pressure on merchants and card issuers to enhance payments security. "Any time there is a breach or something in the news, it heightens the concerns about security," Russo says.
But merchants and card issuers have made great progress in recent months toward shoring up security, mainly through their acceptance and issuance of chip cards that conform to the Europay, MasterCard, Visa Standard, he says. "Everybody is getting ready for it. We expect to see about 100 million [EMV] cards in the market by the end of year."
By the end of 2015, after the liability shift dates set by the card brands, Russo predicts the U.S. will have more EMV cards in circulation than the United Kingdom and Canada combined. Once the liability shift takes effect, merchants will be held responsible for fraud losses tied to magnetic-stripe transactions for most point-of-sale purchases.
Efficacy of PCI?
In an interview earlier this year, Russo noted the PCI Council baked additional security mandates into version 3.0 of the PCI-DSS, which took effect in January. Version 3.0, he noted, specifically addresses the risks of POS malware, which was involved in the breaches at Target and Neiman Marcus.
"As the most recent industry forensic reports indicate, the majority of the breaches happening are a result of some kind of breakdown in security basics - poor implementation, poor maintenance of controls," he said in that interview. "And the PCI standards [already] cover these security controls."
But Russo, in this new interview, stresses that merchants cannot lean on compliance alone for security, and that layers of controls are required to ensure POS networks and devices are as secure as they can and should be.
Security requires a multilayered approach, that relies on advanced card technology, such as EMV; tokenization; and point-to-point encryption, Russo says.
"The complex nature of today's threat environment supports the need for a multilayered approach," Russo says. "As the market migrates payment terminals [to comply with EMV], we encourage everybody to consider these additional layers of security. There is no silver bullet here. Layers are needed so that the potential for a breach and damage caused by breach can be mitigated."
During this interview, Russo also discusses:
- Work the council is doing to enhance international information sharing about card security;
- Why more education about cyber-risks among small businesses is needed; and
- How recent breaches have impacted PCI and the role the PCI Council expects to play.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. He guides the organization's efforts to improve data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI-DSS.