Don’t let all the latest data-breach news distract you from one overriding fact: PCI is securing more and more card data from hackers, says Bob Russo.
Some in the security business amplify these breach episodes to disparage their competitors and leverage fear to generate new sales pipelines.
Bob Russo is general manager of the PCI Security Standards Council, Wakefield, Mass.
As evidenced by recent high-profile breach incidents, protecting customers’ valuable payment card information in today’s world is an increasingly complex challenge. But as challenging as data security is, it’s important to keep things in perspective. With headlines blazing about the latest data breach, some have chosen to focus on these incidents as the norm, rather than the anomaly they truly are. We don’t hear about the many, many attacks that were thwarted because organizations are using Payment Card Industry standards to make payment security an everyday priority for their business.
In the banking and payments industry, experts know that the volume of payments successfully and securely processed outnumbers any number of compromised transactions by a HUGE multiple. But, the breaches make the headlines for a number of reasons:
1. Some in the security business (including people who should know better) amplify these episodes to disparage their competitors and leverage fear to generate new sales pipelines;
2. We know that a mental image of hackers from afar appeals to the James Bond (or Austin Powers) fans in all of us. Let’s face it: Disaster and criminal acts grab our interest;
3. It is hard to imagine a compelling story about a process that works most of the time and that most of us take for granted. Think about it. When was the last time you read a headline about the power staying on and you continued to read that article?
Conflict, after all, is an appealing part of any narrative. But for an accurate picture of the state of payment security, we must look at the more mundane elements and account for the ongoing progress and positive trends impacting daily efforts to secure payment transactions.
For example, in the recent “Verizon 2014 PCI Compliance Report” from Verizon Enterprise Solutions, a unit of the giant telecom company, there are a number of items that we can look at to better understand the progress that organizations have already made in securing payment card data.
Let’s begin with this excerpt from the report:
With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps, guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.
Our approach to developing strong security standards combines people, process, and technology as key parts of payment card data protection. This progress has been built with the feedback of a community of more than a thousand members from the full spectrum of those with an interest in payment security, including merchants, financial institutions, payment brands, and security experts.
The Verizon report also says:
The PCI SSC initiated several Special Interest Groups (SIGs) to provide guidance on technologies like cloud computing, virtualization, and tokenization, and other broadly applicable topics like risk assessment, maintaining PCI compliance, and third-party security assurance. It has also added multiple “best practices” to the DSS, which forward-thinking organizations can adopt before they officially come into force.
Even with the best standards in place, criminals who are after payment card data are persistent in their attacks. So we have to be persistent in our defenses, relying not just on one layer of protections but many. This effort must be part of an ongoing and vigilant security program.
The PCI community continues to work to update and develop its standards while also providing guidance on other technologies that work in concert with PCI standards and can offer additional security measures. Point-to-point encryption and tokenization are two such measures we have provided detailed guidance on that can improve an organization’s security posture.
Finally, consider this result from the report:
Just over 70% of organizations that we assessed in 2013 were “nearly there”—complying with 81-99% of controls—up from 25% in 2012.
The growth in adoption of the PCI standards illustrates the importance that organizations are placing on securing their payment process. This isn’t just about checking a compliance box, but about taking the steps necessary to lay the foundation for all future security efforts. The Verizon report also notes that compliance with the PCI standards makes a business more secure and minimizes the potential of a data breach.
These results don’t constitute a proposition or a theory. This is empirical evidence that the PCI standards work. Many of you may say, “But I just read that so-and-so was breached!”
Yes, organizations will continue to be affected by cybercrime. But we know—and we want you to know—that the PCI security standards provide a strong foundation for payment card security, not just now but as we look to protect these data moving forward.
You don’t have to take my word for it. As the Verizon report says:
But is [the PCI Standard] effective in achieving security? Our evidence suggests that it is.
Yes, there’s no doubt data breaches have captured the nation’s attention. But don’t let that warp your perspective. Through the collaborative cross-industry approach we have followed over the past seven years, the payments industry has made great progress in securing card data, and we continue to build upon the way we protect this sensitive information.