Being PCI compliant merely the first step in payment security

• Default passwords and SQL injections behind the majority of breaches
• Merchant education on-going challenge, especially with new attack vectors

IF Bob Russo (pic) could ‘move the needle’ just a little bit in the expansive and never-ending campaign for better cyber-security measures, he knows exactly where he’d focus his energies on.
 
“If I could make companies and people change their default passwords, I’d be able to eliminate 95% of security breaches immediately,” said the general manager of the Payment Card Industry (PCI) Security Standards Council in an interview with Digital News Asia (DNA).
 
The PCI Security Standards Council is an open global forum launched in 2006 that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
 
“The things we’re seeing, when systems have been compromised, are really the simplest of breaches,” he said.
 
The main reason for this, according to Russo, is the 'migration of fraud,' with attackers moving away from large companies and merchants which have internal IT resources and data encryption adhering to regulatory compliance, to smaller merchants which lack such technical resources.
 
“Ask a small merchant about PCI compliance and it would have no clue, as [such merchants] typically purchase out-of-the-box solution from a vendor. It comes down to very simple things, such as not changing the default password for your e-payment gateway. Why do exploits from hackers need to be sophisticated? They can easily get in already,” he said.
 
One segment in which this is of particular concern is franchise organisations, said Russo. While a terrific way to get into business with less need for prior industry knowledge, due to the nature of how such expansion programmes work, franchise owners receive cookie-cutter solutions that they rarely customise.
 
“A hacker can just walk in and look at what point-of-sales (POS) system the franchise is using, find the application and do a default password lookup on Google. You will find tens of thousands of franchise outlets using the same system and would just need to go down the list until you find someone still using a default password and you will,” he said.
 
The other issue that he’d like to move the needle on is the persistent use of SQL injections by attackers.
 
“There are a myriad of ways, even with our standards to stop this thing but until that is addressed alongside default passwords, there is no need for hackers to come up with elaborate new hacks. It’s a 12-year-old exploit, and we’re all still trying to figure out how we can get people to pay attention,” he added.
 
Russo noted that in many cases, small and medium enterprises (SMEs) are looking to buy a one-stop tech solution that can make it all go away, but successful security measures have to do with the people, and incorporating business processes with technology.
 
When asked what advice he has for SMEs seeking to ensure that they are doing the necessary in securing financial transactions for their business, Russo said the easiest thing to do is to start with the business’ acquiring bank for information on being PCI-compliant.
 
He admitted that education remains an on-going challenge with the continual need for industry bodies such as the PCI Council to reach out and inform stakeholders about the value and need to take security seriously.
 
“I’d love to tell you our website is a destination website for merchants, as we publish and host lots of good information, but it isn’t. We can send small merchants information and guidelines till we’re blue in the face but we can’t make them read it. The push has to come from those which already have a relationship with them,” Russo said.
 
With this in mind, the PCI Council has begun establishing partnerships with industry associations, such as the National Retail Federation in the United States, to aid in raising awareness.
 
“It has the touch points with merchants, and we’re also looking at partnerships in this region,” he added.
 
Russo said that the council also offers training and publishes guidance documents on meeting security requirements.
 
“We initially thought that larger corporations would be using it, but in fact a large portion of users are SMEs. It has common sense things in it, such as taking a photo of your POS machine every week, checking for any changes to the hardware and checking the identification stamp on devices to ensure there’s not been any tampering,” he said.
 
The reason for such simple measures is the fact that while businesses handle a lot of financial data on a regular basis, the people who accept it are transient.
 
“For example, in the food and beverage (F&B) industry, turnover for floor staff would mean that there are new people handling payments every few months or so. How would you know that they are not skimming off the top?” he said.
 
Russo said that this year marks the first time the retail industry has claimed the No 1 position for the largest source of breaches, which has traditionally been claimed by the hospitality/ F&B sector.
 
In his view, despite limited resources smaller merchants have, it is imperative that issues such as transactional security are addressed.
 
“Most consumers don't understand the difference between credit card fraud and identity theft. And if you're a merchant, you really have to be careful because consumers are getting smarter, and if they find out you are not protecting their credit card or personal data, they're going to stop giving you business.
 
“It’s really important to be secure with these things, and many companies don’t think to include security in their business plans,” said Russo.
 
Next Page: Mobile matters and future standards