Being PCI compliant merely the first step in payment security

By Gabey Goh November 26, 2013

Too much of a good thing?

Due to breach notification laws in the United States, any time there is a major breach, Russo immediately imagines chief executive officers (CEOs) calling up their IT and risk departments, asking if the same can happen to their organisations.

“Then the response would be ‘No, we’re PCI compliant, it can’t be,” he said with a smile.

He said that he sees many IT leaders using PCI standards as a springboard to get much more security into their organisations.

“PCI standards are really only concerned with credit card data but they can be applied to any kind of data. CIOs (chief information officers) are saying to CEOs that it’s not about the return on investment, but rather a necessity mandated by regulation -- which in turn, gives them the opportunity to bring in much more security,” he added.

Russo said that a number of governments worldwide are looking at PCI standards as a model for other cyber initiatives, protecting critical infrastructure such as finance.

“We’re been consulted by the Obama Administration over the past six to eight months on our standards and how they work. We’re happy that they’re looking at us but it’s been a long road -- about seven years -- and we can tell them what doesn’t work because we’ve fallen into every one of those traps ourselves,” he said.

When asked about Asia Pacific, Russo said the council has been active in the region for some time although its footprint is not as large as he would like.

“I would like to see PCI standards adoption in the region being a lot more, but there’s still slow uptake. The trend here is unless something becomes regulatory and mandated, not many will take action,” he said.

Russo said that he has noticed a large number of government and regulatory bodies pointing to PCI standards but not understanding their full impact if adopted.

“Many are putting ‘Must be PCI compliant’ without really understanding what this entails, and so when it comes to enforcing these standards, they have no idea where to begin,” he said.

Despite that, Russo is not shaking his head at the attention PCI standards have been getting of late, adding that many queries have been received about the standards and how they can be inserted into security plans.

“The nice part is the majority of the time, people are already doing what we advise. We’re not asking for magic to happen, it’s just basic security standards that should be applied,” he said.

“Whenever PCI standards are introduced to a new region there’s typically a lot of pushback, not unlike the reaction to paying taxes, until they take a good look at it and realised they’re already doing 75% to 85% of it, [so] it’s just good business to do so,” he added.

The PCI Council recently released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organisations, including merchants, payment processors, financial institutions and service providers.

The latest version comes with a stronger focus on some of the greater risk areas in the threat environment; improved flexibility for all entities implementing, assessing and building to the standard; and aligns with changes in industry best practices

“In contrast to what people think, there is a life-cycle to our standards, which is about three years. There’s an implementation year, followed by a feedback year and an update year; our standards essentially cover everything in terms of breaches,” he said.

Pre-empting an often-asked question, Russo said that though the standards cover the breadth and scope of securing financial data, breaches can still happen.

“It’s like insurance. You can be told to put dead-bolt locks on your doors, but you could still get robbed because you walked out and forget to lock the doors. It’s about security, not so much compliance,” he added.

He noted that an organisation may be compliant at the point in time where a check was conducted, but if a piece of software is not updated or patched, then the company is out of compliance.

Mobile matters and future standards

When asked for his thoughts on the rise of mobile-based payment solutions, using either imbedded chips such as NFC (Near Field Communications) or external attachments to accept credit card payments, Russo’s reply was mixed.

“Don’t get me wrong, smartphones are the greatest experience in the world, but how safe are they? My smartphone is probably the most insecure device in my backpack. You can download an app but how do you know that it’s not looking at the data on your device or using it as a transport mechanism for a malicious attack?

“What happens if you lose it and payment information is also stored on it? Convenience trumps security all the time, that’s how the world works. We don’t want to stifle progress here and we’re not telling people not to use their mobiles for payment, but in the role we play, we give guidance. That if you do plan to use it, you have to be concerned about certain things,” he said.

He added that the council does put out guidance for vendors on best practises but also noted that mobile devices are also getting more secure with each product cycle.

Russo also said that at some point in the future, the council would put out a mobile security standard and is working with other organisations so that there’s no duplication, but noted that due to the rate of change in the mobile space, it was currently not feasible.

“Mobile is on everyone’s mind at the moment and is a big concern but we haven’t seen major breaches yet on mobile,” he said.

He reasoned that it was due to the ease of stealing information via other means that attackers are not compelled to come up with a mobile-centric strategy.

“If you’re going to do mobile, how many credit cards can you steal? To make it worth my while as a hacker I’m better off hitting someone who’s got hundreds or thousands in a single place.

“You’re definitely going to see mobile breaches in the future, but not for as long as the other methods of attack remain the easier route,” he added.