Holding up his Apple Inc. iPhone, Bob Russo, general manager of the Payment Card Industry Security Standards Council, declares, "This is the most insecure device in the world, and my life is on it."
The task of providing the right security layers for payment products, especially in the emerging field of mobile payments, is daunting for many banks. Russo and brand-new PCI council Chairman Michael Mitchell, who is also vice president, global network operations at American Express Merchant Services, are stepping up the security best practices and services the council offers its 650 financial services members.
"This is a fascinating time to be in the industry because of mobile technologies," Mitchell notes.
The Wakefield, Mass.-based council is building assessment services to help banks determine the worthiness of new payment and data-security products. This year’s emphasis is on online and cloud-computing data-security issues (see story).
The group has put together a community of 250 qualified security assessors trained in its payment application data security standard and are authorized to vet and certify that products or services have met the requirements.
"We're training as many people as want to be certified," says Russo. "Once a [product or service] is assessed, they will verify that a certain piece of [it] is compliant." Certified companies will be listed on the PCI Council website.
Among other things, the PCI Council is assessing mobile card readers that target smaller retailers. "We look at the merchant at the flea market that's accepting cards with one of these devices–are they storing credit card information?" Russo asks.
PCI Council members have become more proactive of late, Mitchell says. "It used to be that security was important in reacting to something," he says. "But members of the council say they'd rather pay for prevention than for a security breach."
Are banks doing enough to protect their customers' payment information? "That's a loaded question," Russo says. "Banks are probably the most heavily regulated industry out there. They're already doing a lot of things, probably more than most. The larger companies do 70%-80% of what we're asking without looking at the standards, just as good business practice."
But there's a difference between complying with standards and providing watertight security, Russo notes. "When my insurance company asks me if I have deadbolts on my doors, I say yes," he says. "Do I lock my doors before I leave the house? That's a different story. Whenever there's a breach, it's a wake-up call; you see more diligence then."
It's the simple things individuals in many companies forget, Russo points out, such as leaving an administrator password on a computer instead of changing it and leaving vulnerable old applications live on a publicly accessible website.
The council has identified encryption as a priority. "Members see it as a way of reducing the scope of PCI assessments," Russo says. Other priorities for the group include e-commerce security, risk assessment and cloud computing security.
What do you think about this? Send us your feedback. Click Here.