Fewer thefts of credit card data may reflect effective PCI-DSS standards

6 Nov 2012

Jeremy King, European director of the PCI security standards council

Fewer incidents of large-scale credit card data theft are a sign that PCI-DSS standards are finally having an effect among large retailers, the director of the group’s security standards council has claimed.

The 2012 PCI European community meeting came to Dublin last month, a two-day conference attended by more than 500 delegates representing 269 organisations – up from the previous year’s event.

Asked to measure the progress of the standard at the annual event, Jeremy King, European director of the PCI security standards council, said breaches of the scale of the TJX hack almost six years ago, in which more than 45m credit card details were compromised, had become scarce.

“We don’t see the massive data breaches that we used to. Global Payments [1.5m records stolen in April 2012] was probably the most recent and biggest. Because they had already taken a lot of PCI on board and had a lot of procedures, they were able to react to it and contain it,” King told Siliconrepublic.com.

Logging data

Mark Gallagher, keynote speaker at the Dublin event, drew parallels between Formula One and PCI-DSS in how they approach risk. The former senior member of the Jordan Grand Prix management team, now a director of Stratus Formula One team, said best practice involves logging masses of data in order to assess a car’s performance.

Whereas 99pc of the information may ultimately be of no use, 1pc can provide the insight needed, he said. Added King: “In exactly the same way, security systems are always logging data. If we’ve got good tools in place to identify that 1pc, organisations can react to that and stop a breach very early.”

“You’ve got to have defence in depth and PCI gives you that best defence: your systems react quickly, we minimise the loss of data and the time that attackers are in your systems. Our experience is that the criminals generally target the organisations who are not compliant,” said King, citing the recent Verizon data breach report.

Greater awareness of data security has helped to spread PCI, particularly among large organisations that handle credit card information. As more focused attacks take the place of wide-scale breaches, the challenge for those driving the PCI standard is to ensure smaller merchants are brought into the net, said King.

“Governments have become very much aware of cybercrime. Data protection commissioners are pushing the wider cyber security message, and behind that, we consider cardholder data to be part of customer data.”

At the Dublin conference, the PCI council launched two new data security training programmes. The first, qualified integrator and reseller (QIR) is aimed at training personnel who work for companies that install payment-processing software for merchants.

“We’re hoping for a strong take-up from industry and we’re looking for the merchants to do a push and ask if the integrators are QIR certified,” said King.

The second programme, payment card industry professional (PCIP), is aimed at individuals working in companies that process credit card data, and is aimed at providing a good understanding and awareness of PCI security standards.

“In a merchant environment, having everyone trained and understanding their roles, gives you that teamwork to be able to give the best defence against attacks,” King said.

Mobile devices challenge

Another challenge facing the industry is the rapid growth of smart mobile devices and the PCI council recently issued guidance on the risks of using them as a device for accepting payments.

King said many handsets are at risk of downloading malware that could compromise any payment information being held on it or sent from it. He admitted that particular genie is out of the bottle: mobiles already being widely used and it’s up to the security industry to catch up rather than being in a position to impose controls from the start.

“In some respects, it is the right way around. People have got to be able to push boundaries of new technology but it is our responsibility to work with the community to say to our merchants: ‘understand the risks associated with that’, and try and say ‘this is what you need to do to make this secure and protect this cardholder data’,” he said.

Gordon Smith was a contributor to Silicon Republic

editorial@siliconrepublic.com