Visa risk chief: Reports of PCI's death exaggerated

Visa's top risk official has defended payment industry security guidelines, but also called on organisations to invest in constant monitoring, information sharing and new technology -- while not letting the sour economy get in the way of security spending.

"Recent rumblings about the demise of the [Payment Card Industry Data Security Standard] are not only premature, they are dangerous to long-term security," Ellen Richey, Visa's chief enterprise risk officer, said during her keynote address at the Visa Security Summit in Washington, D.C. "Despite recent negative commentary, the PCI DSS remains an effective security tool when implemented properly. Simply put, it is the best defense against data theft available today."

At the start of her talk, Richey referred to Heartland Payment Systems, which disclosed a monster breach in January. She told attendees to consider this an exception, not the rule.

The New Jersey payment processor had been validated as PCI DSS-compliant when hackers installed data-sniffing malware on the company's internal network. This resulted in some industry observers questioning the effectiveness of the guidelines. Visa later pulled Heartland from its list of PCI DSS-approved service providers.

"I'm sure everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," she said, according to a transcript of her speech. "The fact is, it never should have...As we've all read, [Heartland] had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack."

Richey told the audience that the country's current dismal financial state may pose more of a threat to payment security than hackers. She called on the audience to "increase our presence as educators and advocates for data security."

"If we cannot convey the urgent need to maintain investments in payment security -- particularly in today's environment -- years of progress in building consumer trust could slip through our fingers," she said.

In addition, she urged businesses to provide ways that customers can protect themselves from fraud. Law enforcement, processors, legislators and merchants, meanwhile, must increase their levels of information sharing.

Finally, Richey said investment must be made in new payment authentication measures, such as chip technology, so that the data criminals may steal becomes worthless. She mentioned measures being taken at financial institutions such as Fifth Third Bank, which uses unique magnetic stripes that can be used to verify the identity of the card being used.

Avivah Litan, vice president and distinguished analyst at Gartner, said it was important to hear that Richey realises the challenge of securing data will require new technology and an upgrade of the payment system to include things such as end-to-end encryption.

"I was glad to see Visa so progressive to admit they have to move beyond the PCI security standard, even though she didn't say that explicitly," Litan, who hosted a panel at the event, told SCMagazineUS.com.

See original article on scmagazineus.com