Retail Breaches Are Exposing Weaknesses in PCI Security Practices
As the Payment Card Industry Security Standards Council prepares to update the PCI Data Security Standard, malware attacks aimed at payments networks are garnering attention, says the council's Jeremy King.
King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs.
Retail breaches are exposing weaknesses in PCI security practices throughout the world, says King, who heads PCI SSC in Europe. "The criminals are still finding it too easy to break into everybody's systems," he says in an interview with Information Security Media Group. "Poor passwords or weak passwords are the No. 1 challenge we all have to address. This is not low hanging fruit - this is fruit lying on the floor waiting to be picked up."
Network attacks aren't the only worry that card issuers and merchants throughout the world are facing, King adds. New payments technology, such as mobile and emerging e-commerce transactions, is posing increasing PCI compliance challenges as well, even in markets where chip and PIN transactions are the standard, he says. "We are seeing increased interest in mobile commerce," and more interest among European retailers to marry e-commerce with face-to-face payments, he says.
Even with payments that conform to the Europay, MasterCard, Visa standard, retailers have to be mindful of card data risks, King says. "EMV isn't the cure-all for data security," he explains. "EMV is great at securing face-to-face transactions and preventing face-to-face fraud. But it does not cover card-not-present transactions," such as those conducted through e-commerce sites.
End-to-end encryption addresses card-not-present transactional security risks, King says. But merchants must consistently ensure they are not inadvertently storing card data or transmitting data in a way that opens cardholders to new risks.
As the council expands its international reach, with a new board of advisers that for the first time includes representation from every major global card market, King says the industry is better positioned to address these and other card security risks.
"We have new representatives coming on from Africa and the Middle East, to join the representation we have from the United States, Europe and Asia," he says. "Now we can get a true global perspective about what are the challenges and what is working."