The only way for the payments industry to thwart future hackers is to create a system that can adapt quickly to unanticipated threats but many companies still struggle with the costs of handling their basic security needs.
"We need a very intelligent system, a model that evolves and learns from changes in data," says Arthur W. Coviello Jr., executive vice president and executive chairman at RSA Security, a Bedford, Mass.-based division of EMC Corp.
The key element to such a system would be the big data surrounding payment accounts and transactions, Coviello says. The system has to "extract meaning for security purposes" from the data and find the "hidden patterns or a faint signal that an attack is in progress," Coviello said Oct. 2 at Visa's annual Global Security Summit.
However, many security companies find it costly to get certified for EMV smart cards and reach compliance with the Payment Card Industry data security standards, says Stafford Masie, CEO and founder of South Africa-based security vendor Thumbzup.
Masie's company has already spent millions of dollars in certification costs, but many couldn't afford such an investment, he says.
The payments industry should create a fund that would help all innovators have an opportunity to present technology that could help solve data security problems in the future, Masie says. "In this new world of data security, you have to introduce flexibility," he says.
In the past six years, payments systems have connected to new technologies such as cloud computing and social networks, Coviello says. This means billions of people are now hooked into systems in which they can share card data, he adds.
When consumers eventually get online or mobile access to TVs, vending machines, ATMs, parking meters and other devices, "that expands the hackers' path-of-attack surface," he adds.
As data security moves into a virtual world, the traditional "perimeter of defense" for data will no longer exist, Coviello says. "By the year 2020 it will be almost impossible to protect physical infrastructure" because perimeter defense will be difficult to establish, he adds.
"Change has been remarkable and consistent, whether it is faster payments or loyalty programs on steroids," he says. "But all of that technology dramatically increases the attacks on our systems."
Even if payments companies can adapt, many merchants still won't have the ability to defend themselves, Coviello says. However, they benefit from the recent agreement between Visa, MasterCard and American Express to establish a new standard for online account identities, he says.