Payments technology changes rapidly, and cybercriminal techniques have no trouble keeping pace.
Thus, payments providers, merchants and consumers have nearly become numb to news about payment card and personal data theft. Against that backdrop, the Payment Card Industry Security Standards Council, which maintains the PCI data security standards, must set new rules without hindering development.
As international director for PCI, Jeremy King travels the world in delivering that message, giving him a keen view of how the war against hackers and cyberattacks is progressing, what areas of security need the most attention, and where PCI data security standards will take the industry in the future.
King took time from last week's PCI Community meeting in Barcelona, Spain to talk to PaymentsSource about the successes and challenges of PCI as the security conscience of the payments industry since the major card brands combined programs to form PCI and issue the first standards in 2004. This interview has been edited for length and clarity.
With new security challenges surfacing daily, is it difficult for PCI to keep on task with a specific focus and goal in mind?
King: Looking at some areas in more detail, we have been working very closely with EMVCo in terms of developing and releasing the new 3D-Secure for increased security for online transactions. And we are also working closely with them on tokenization. We are very conscious of the fact that if we can de-value the data and make it of no use to criminals, that is a long-term goal.
Acceptance of payments through mobile devices continues to advance, bringing new security pressures. What's the key security advancement that you're facing today?
King: A process by which small merchants ... can use their mobile phones to accept payments has been around for some time now in the U.S. with Square and others, but most have done chip and signature on the phone. We are now taking that to the next level so we can do chip and PIN on a phone. In EMV-mature areas, that will become a standard to support an mPOS device.
Merchants have clearly had their ups and downs with PCI data security standards compliance. Some fully support the concept that the industry is policing itself, while others see it as a money grab from the card brands with standards that carry fees for compliance and fines for non-compliance. Is any of that interaction changing?
King: I would be lying if I didn't say yes, there are some detractors out there. Generally, people understand the need for the requirements, but the message is not always as clear as it could be. When you look at different sectors within the merchant community, the challenges that multi-chain retailers have in meeting PCI requirements are very different from the airline, hotel or travel industries. It is not easy to say that one size fits all, but the beauty of it is there is one standard that fits all.
Still, that's just words in the minds of many merchants. How does PCI address these differences?
King: It's about trying to work with these different organizations to understand the particular challenges they face and how we can address and support them in those challenges. We have a board of advisors within the council, and the merchant community is one of the biggest we have represented on it. We are pleased to have airline companies and Target, Walmart, Starbucks and Disney in order to get to their different experiences.
No one questions the need for data security; it is a matter of how to comply with different requirements within particular sectors. That is where our PCI community works, making sure we are giving the right information to the airlines and big retailers and knowing they will meet customer needs when securing the data.
The Equifax breach was obviously a significant blow to data security. What were PCI execs and members thinking when this occurred? Is it a case where the stronger the retail security sector gets, the more attacks we'll see on credit, insurance and health-care companies?
King: It is always disappointing and frustrating when you see a large breach occurring. At the moment, our biggest challenge is improving security centers on patch management and passwords.
The criminals are very good at adapting and probing for new weaknesses. Where patches are implemented in a timely manner, data is safer. We can understand a short delay to make sure a patch won't affect your business, but not to do it within four months or six months, or even 12 months, then you are really asking for trouble. We see it over and over again that poor patch management has resulted in breaches.
For several years now, any organization or vendor involved with data security laments the use of weak passwords. That doesn't seem like it's going to go away anytime soon.
King: Password [protection] is an area where you can have some interesting discussions. Should it be four characters, eight characters, 20 characters or no characters at all and just go to two-factor authentication?
Unfortunately, we live in a world where we still have passwords. Any company concerned about security should have a strong password policy and a plan to regularly change them. Especially, don't use 'password1' or 'password2,' or any of those types, because criminals know this and they target individual people and try to find a weak password. They get an inside track on companies not obeying these practices, then they start placing malware in the network.
What type of message would it take to get companies to understand this problem and address it?
King: Organizations have to focus on security. It's this simple: If you are connected to the internet, you are under attack.
The government is trying to establish more secure practices for all industries to follow, but overall too many companies are not paying enough attention to securing data. There were 3.5 billion records lost last year, so half of the world's population has lost personal records. We have to keep banging the drum, and that drum is a basic good level of security to start with — good password protection, good patch management, good awareness of network security. That's where PCI comes in. We talk about all of these things.
When all is said and done, does PCI still have the problem that many merchants feel that PCI compliance means they are entirely secure, and that's it?
King: For some people, they think they can do security compliance once and they are done. No. Security never ends, it is an ongoing process. Many merchants operate at a minimum security level, but we know certain parties will be bigger targets.
That is why we have seen more focus on third-party software providers and processors. We expect them to have a better level of security. We are working with advisors to develop a new set of PCI data security standards that focus on people in different channels. You may be doing the right thing with face-to-face payments, but there are other needs in other channels. PCI has always been standards and guidelines that should complement other security measures.