By Jim Daly
@DTPaymentNews
The PCI Security Standards Council is now a decade old, and as it concludes its annual North America community meeting in Las Vegas Thursday it faces a payments-security landscape vastly changed from the one it confronted 10 years ago, with mobile payments, tokenization, and so-called fin-tech startups new on the scene. But data breaches and other threats abound, much as they did in September 2006 when the PCI Council began life as a creation of the four major U.S.-based card networks—Visa Inc., MasterCard Inc., American Express Co. and Discover Financial Services.
Digital Transactions News asked Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Council, if he thinks his organization has been successful.
“I absolutely do, and sometimes that’s hard to see,” he says.
“The success is that there are organizations encrypting their card data, that didn’t exist 10 years ago,” Leach says. “There are organizations segmenting their card data, that didn’t exist 10 years ago.” He adds that simply “raising awareness” about the importance of protecting card data is one of the Council’s biggest successes.
The Council melded the networks’ individual data-protection standards into the Payment Card Industry data-security standard (PCI-DSS), compliance with which is obligatory for merchants, processors, and vendors that handle general-purpose card data. The Council also oversees and updates nine other related standards governing, among other things, card software, PIN-accepting and point-of-interaction devices, and point-to-point encryption of card data.
Not unexpectedly, the PCI Council has been controversial from its birth. Merchants, especially, have grumbled about the cost and complexity of complying with the PCI-DSS and other rules. And while the Council makes the rules, enforcement is up to the card networks, merchant acquirers, and a host of vendors hired by acquirers to inspect card operations, leading to questions about the fairness of the PCI system. Critics note that data breaches have by no means diminished—Target Corp.’s breach compromised 40 million cards and The Home Depot Inc. compromise ensnared more than 50 million. Both came along years after the PCI rules took effect.
“Data breaches will continue to be there because we’ve grown the ability to have remote distributed access [to card data],” Leach says, going on to note that the coming of mobile devices and the iterations of mobile payments, including in-app payments, have their good and bad sides.
“All these new opportunities present new opportunities for criminals,” he says.
There hasn’t been a huge breach like Target’s for some time, but recently a number of hotel chains have reported compromises of point-of-sale systems in their restaurants, bars, and other non-reservation venues. And Oracle Corp. this summer disclosed that it had found malware on some of its older Micros POS systems, which are widely used in the hospitality industry.
As it continues to grapple with protecting traditional payments, the PCI Council is keeping an eye on emerging systems such as mobile payments. Within a couple of months, the Council expects to issue an update to its card-production standard that will address the over-the-air provisioning of cardholder data to mobile devices, according to Leach. “It would be the current card-equivalent credentials uploaded to the [mobile phone’s] secure element or the HCE [host card emulator] in the cloud,” he says.
Avivah Litan, a vice president and security technology analyst at Stamford, Conn.-based Gartner Inc. who has followed PCI since its early days, says “the PCI Council has been very successful in some ways and very unsuccessful in others.”
“Successful—in creating a relatively thorough standard with lots of inputs from security experts around the world,” she tells Digital Transactions News by email. “They also raised security awareness and helped move the market towards more secure payment systems.
“Unsuccessful—in thinking about and coming up with a standard that can be practically enforced so that companies are more secure, not just compliant on paper. So while thorough, the standard has done nothing to stop many destructive breaches against the payments industry.”
Another long-time PCI observer, Al Pascual, senior vice president and head of fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research, says, “lack of an effective mechanism to ensure compliance” has hamstrung the PCI Council’s effectiveness.
Pascual, in an email, disagrees with Litan on the awareness issue, saying the Council’s effectiveness has been hurt by “a lack of awareness among many merchants as to threats they face, which in turn contributes to a failure to comply” with the rules. He adds that “updated guidelines are themselves often influenced by major data-loss events or trends, meaning that they have an inherent lag time.”
Still, he says the Council “was created for the right reasons and [has] made the right recommendations when it comes to data security.”