Infrastructure

02:47 PM
Bob Russo, PCI Security Standards Council
Bob Russo, PCI Security Standards Council
Commentary
50%
50%

Creating A Strong Foundation for Securing Payment Data With PCI Standards

The challenge of keeping data safe can’t be solved by a single technology, standard, mandate, or regulation. The PCI Security Standards Council is an example of the industry collaboration that is needed today.

This week I participated in Congressional hearings on data security in the wake of recent large-scale breaches of payment card information at U.S. retailers. What's been clear in these discussions and in the aftermath of these incidents is the increasingly complex nature of payments security in today's world. This new wave of cybercriminals is relentless and innovative, and as those on the front lines, retailers and banks have to be just as persistent in their defense. A defensive stance that starts with the PCI Standards as a foundation for a multi-layered approach to securing data -- one that addresses people, process and technology.

Bob Russo, PCI Security Standards Council
Bob Russo, PCI Security Standards Council

There's been a lot of buzz about EMV chip technology and the benefits it can bring to the U.S. payments system, as we've seen elsewhere around the world. The PCI Security Standards Council agrees that technology advances are critical in protecting against increasingly sophisticated data theft.

Moving towards EMV chip technology is an important piece of improving data security, but it is not a complete solution in and of itself. It still requires secure passwords, patching systems, monitoring for intrusions, using firewalls, developing secure software, educating employees and having clear processes for the handling of sensitive payment card data. Also, while EMV chip is an effective way to reduce fraud at the point of sale (POS) it's not intended to protect the ever-growing part of our global economy that conducts business online. Used together, EMV chip and PCI Standards, along with many other tools, will provide strong protections for payment card data.

[No One Solution in the Cybersecurity War]

Keeping data safe in today's world is a complex, global challenge that cannot be solved by a single technology, standard, mandate, or regulation. While government can and should play a greater role in encouraging stronger law enforcement efforts worldwide and promoting information sharing between the public and private sector, we believe the private sector best positioned to develop standards to protect payment card data. The PCI Security Standards Council is an excellent example of effective industry collaboration to develop private sector standards -- working together across industries, around the world and down the payment chain, we've made a lot of progress driving payment security forward. And we are continuing to build on this with standards that address market needs and a growing global community that's involved in the ongoing development of these standards.

For example, industry breach reports indicated POS security, secure payment application development, password management, working with third parties, and malware as key problem areas -- and we responded with updates in our latest version of the PCI Data Security Standard (PCI DSS) and PCI Payment Application Data Security Standard (PA-DSS) to address these. And this was done with the aim of providing the right balance of flexibility, rigor and consistency in the standards to help organizations make payment security part of their business-as-usual activity.

Additionally, we're continuing our work on standards for use of technologies that reduce the amount of cardholder data in circulation and offer additional security protections, such as point-to-point encryption and tokenization. These solutions provide methods for devaluing the card data to make it useless to criminals, and also eliminate unnecessary storage of this data in a merchant's system.

Again, these breach incidents underscore complexity of data security issues and why businesses need to develop a multi-layered approach to protecting their customers. The PCI Standards provide a strong foundation for this approach, helping organizations make payment security part of their everyday business practices by addressing people, process and technology. We look forward to continuing our role as a leader in this area and building on the thoughtful and constructive dialogue we've heard this week on smart collaboration between the public and private sector to secure the future of payments.

Bob Russo is General Manager of the PCI Security Standards Council.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KBurger
50%
50%
KBurger,
User Rank: Strategist
2/6/2014 | 9:55:56 PM
re: Creating A Strong Foundation for Securing Payment Data With PCI Standards
Your points about a multi-layered approach are key. With so much publicity and discussion, there is a tendency to seek (and for politicians and mass media to demand) a quick fix. Those in the know understand there is no such thing when it comes to security, especially now.
Byurcan
50%
50%
Byurcan,
User Rank: Author
2/6/2014 | 2:53:32 PM
re: Creating A Strong Foundation for Securing Payment Data With PCI Standards
The author is correct, data security, especially around payments, is incredibly complex, and there is no one solution to solve everything. A multi-layered approach using best practices is what all institutions should have in place
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Slideshows
Video