PCI's CTO on the Future of Card Security, and the Lessons of the Past
Earlier this month, the PCI Security Standards Council marked its 10-year anniversary of providing a foundation for data security guidelines to all payments industry stakeholders.
It hasn't been a smooth ride, particularly in the last six years with the spread of cyber attacks and mounting data breaches that exposed PCI Data Security Standards for what they were — merely a baseline by which merchants could protect networks, but not a silver bullet to stop the fraudsters' rising tide of advanced technology and organization.
As such, some merchants have questioned the process, need and cost of PCI compliance. Some have even called for changes in how the council operates, saying the council has no power compared to the card brands. It has led to some suggesting another governing body oversee security mandates.
Still, technology advancements have made data far more secure than it was 10 years ago, and the vision of the PCI Council and its many supporting members points to even more developments in the near future to better protect payment transactions.
Troy Leach, chief technology officer for the PCI Council, sat down with PaymentsSource to reflect on the council's performance to date and where it is headed in the coming years.
PaymentsSource: Through all of this time in establishing the PCI standards and positioning the council as a way for the payments industry to police its own security, what remains one of the biggest challenges?
Leach: Communicating with smaller merchants remains difficult. PCI published a wealth of information for small merchants recently, stripping out all of the acronyms and jargon, and partnering with merchant associations to distribute it. But how do we reach the small shops, with one or two stores? This is an area we struggle with, and we have been looking at communication strategies to use over the next few years.
Do you ever get the impression that the smaller merchants aren't that interested in PCI compliance?
Leach: Small merchants represent the majority of locations accepting payments, so we have to reach them and share the basics. If they knew about PCI standards, they would care more and would want to protect their customers' information. These small merchants care about their customers and security, but they don't know where to look.
Has the PCI Council stayed true to its concept, or has it changed because of technology or the politics of payments?
Leach: Any organization, regardless of industry or mission, has to evolve within the ecosystem in which it operates. The PCI Council is no different. Ten years ago, payment acceptance was just more simplistic and attacks were less direct. It was more about getting account info off a back [office] server, or dumpster diving or stealing info from a database. PCI has evolved to address new attacks through new payment models.
What have the major changes looked like?
Leach: Smartphones and mobile didn't exist 10 years ago, so there are new payment channels and new micro merchants. Back in 2006, globally, maybe 8 million to 10 million merchants existed, but today there are 22 million that can accept cardholder info in 36 million locations — and they need formal protection. So we have changed the equation in awareness and education. We are trying to educate merchants on minimizing the amount of data they store and to encrypt the data they do. Those two principles have gone a long way. It's a success when cardholder data is not lost because it was encrypted.
Has the general pitch from PCI that it is providing only the baseline for security, and that merchants need layers of protection for their networks, been lost in translation in any way? Have merchants looked at PCI and felt it is an expense that simply does not guarantee safety?
Leach: A key thing that comes to mind is that PCI has only nine published standards, most of them applying to stakeholders that merchants rely on in card manufacturing, provisioning to mobile devices, payment applications and terminal functions. It covers every part of the system ... The key is to devalue the card data information and also promote other technologies such as EMV, tokenization and point-to-point encryption to stymie a fraudster's incentive to break into a system. It is a challenge to manage cardholder data and understand the risks.
How does PCI seek merchant support for what it offers and requires for compliance?
Leach: As a former CTO for a small merchant, I know what the pressure is like on the IT team and what the merchant faces. That is always at the forefront of what we do. Our focus is to try to simplify compliance while we raise security. This is why our membership is made up of a large number of merchants.
In the next three years, we want to change the focus to a process rather than a point in time [at which the company passes an assessment]. PCI is a process, and as your process changes, you have to have a lot of education with PCI and make it culturally part of what you are expected to do day in and day out.
In as few words as possible, how would you describe a payments industry without PCI?
Leach: Market confusion. Merchants would be accepting five card brands and processing through multiple processors, financial institutions and acquirers. There would be no common voice and no common approach for a streamlined process. Gone are the days where any entity can avoid demonstrating that they are secure. Without PCI, that would turn into a costly and confusing process.
What will the PCI Council be doing in the next 10 years?
Leach: The biggest thing is having dynamic data and authentication, so there is no ability for a criminal to steal data from a merchant location and perpetrate fraud. Wearables and other factors will become important for security. And we need automation to ease pain for merchants. That's more automation of testing and correction, and more focus on security during the development process. With that, the pain of doing compliance is minimized.
The other part is better documentation. Organizations will have tools to automatically update network diagrams and asset management, so it will no longer be a painful manual process to show they are following PCI requirements. Much better detection of bad behavior will also be in place to minimize damage.