PCI Council Pegs Success On Community Involvement

  /     /     /  
Publicated : 22/11/2024   Category : security


PCI Council Pegs Success On Community Involvement


The PCI Security Council celebrates its fifth anniversary this year with greater industry collaboration and more work ahead



It has been an uphill, five-year process for the PCI Security Standards Council, but through the participation of community members throughout the payment industry, this independent arbiter of the Payment Card Industry Data Security Standard (PCI DSS) has managed to drag the industry kicking and screaming to a higher level of awareness and a better state of security. Now, as the council passes its five-year anniversary, its challenge is to remain relevant and continue to keep up with the dynamic nature of both the threat landscape and the payment industrys latest technology.
Back in the fall of 2006, the foothold of relevancy that the council earned was far from guaranteed. Seana Pitt remembers being on pins and needles back then. An executive on loan from American Express, Pitt had been recently installed as the first chairperson of the newly formed PCI Security Standards Council.
Her goal was to not only help the five major card brands administer the enforcement of the PCI Data Security Standard, but to also develop a forum of those affected by the new standard within the payment ecosystem to help manage the evolution of the standard itself. But a community takes people, and she wasnt sure at the time how many willing participants would answer the councils call for help.
In some ways it feels like a lifetime ago, and in some ways a moment ago, that I was sitting around waiting for the phones to ring, Pitt says.
It mighthave come in fits and starts at first, but the phones did start ringing and have kept it up during the years to the point that when the PCI Council held its fourth annual community meetings in North America and Europe during the past month, it managed to draw in more than 1,600 stakeholders. Thats a huge increase over the 323 who came during the first gatherings in 2007. Whats more, the tenor of conversations that these community members are having have changed dramatically.
If I harken back to 2006 when we were out talking to the marketplace, there was such anger around, Why do I have to do this? Why do you want us to put in security protocols? Dont we have it together already? Pitt says. That has changed to a tone that now says, Is the council delivering enough innovation to keep pace with emerging security threats, emerging and payment vehicles? and, How can we do more faster? and, How can we do more to be more collaborative? So it really went from an us-against-them to a we strategy.
John Graham, vice president of governance risk and compliance for First Data Corp. and a member of the PCI Councils Board of Advisers, was skeptical of the council and of the standard five years ago. At that time, he was working as a security practitioner, not within the payment industry. He had misgivings.
Now that Im in the payments industry, it has become evident that this has been an awareness engine that has been very effective at improving security, he says.
The awareness hasnt just materialized on its own. Pitt laid the groundwork early on with road shows and outreach efforts. Then she turned the mantel over to Bob Russo, who, as general manager of the council since 2007, has run a years-long public relations and education blitz for the standard. A hands-on and approachable leader who is quick with a story or a joke, Russo has been integral to establishing an open-door culture at the council. He and advisory board members field phone calls and emails personally when stakeholders of every stature have questions or concerns, and his Ask Bob sessions at the community meetings are the biggest draw at the events.
But through it all, he has been modestly adamant that hes just a facilitator. Its the council community that has done the hard work of molding the PCI DSS into what it is today, he says.
In the five years since it was formed, the council has come out with important updates to the standard and additional guidance documents to provide clarification on important security issues like point-to-point encryption and pin transaction security. The number of qualified security assessors (QSAs) and approved scanning vendors (ASVs) has shot up dramatically. And the council has started some important special interest groups to support further clarification work in emerging threats and technology. Though it is hard to place a singular metric on PCI success, there are a number of indicators that the standard has helped the industry improve its security posture.
In that time, however, it has also seen its fair share of criticism. There are those within the security community who complain that PCI encourages checkbox compliance without encouraging true security improvements. To that, QSA Chris Novak of Verizon Business says a little perspective is in order.
I would challenge anyone that would say that isnt a good idea to institute any of the 12 requirements of PCI. Theres nothing there that anybody thinks is radically new and different than what most people in security know they should be doing, Novak says. But for some reason or another when you talk to people about it as a compliance requirement, they say, No. No. No. I think a lot of people miss the security fundamentals of this.
Some critics have complained, though, that the standard doesnt go far enough and that some of the big breaches that have occurred during the past few years at some retailers happened when they were supposedly complaint. But according to Anton Chuvakin, analyst with Gartner, those claims of compliant organizations being breached are just not accurate.
I dont think any of them were compliant at the time of the breaches. All those stories you hear tend to come from third-hand knowledge -- you know, I heard from someone who heard that... he says. Usually they either werent really compliant in the first place, or they fell out of compliance after certification but before the breach.
Take, for instance, the types of breaches that are occurring today, says Eduardo Perez, head of global payment system security for Visa.
It is interesting, as I was looking through a list of major breaches this year, none of them materially involved card data, and I think thats telling, he says. Breaches are still occurring and, unfortunately, companies are still getting hacked and losing other consumer information. But the hackers arent getting to the card side of it, and its mitigating some of the impact there.
Another key piece of evidence that PCI is working is the number of other industries that are looking to the council for advice on how to create something similar in their own spheres.
Im in D.C. twice a month, not lobbying for anything, but just talking because they all want to know how we got people to voluntarily do these things. Ive got to tell you very honestly that three-and-a-half years ago when we testified before Congress, it was 180 percent the other way. They were saying, You guys are the bad guys -- its not working, Russo says. Well, how the worm turns. One of my biggest victories was getting a call from the lawyer who was all over me like white on rice at the hearing. He called to let me know he wasnt working for Homeland Security anymore, that hes working for finance, and they have to put together a plan for protecting data and want to use PCI as the model. This was the same guy who had raked me over the coals! Amazing, just amazing.
Of course, in order to continue to meet the technology and threat climate, the council cant afford to rest on its laurels. With the advent of mobile payments, the use of smartphones as credit card surrogates, and the parade of new hacking techniques that continue to barrage merchants and payment processors daily, the standard must constantly evolve.
What were dealing with now is evaluating whats next, Graham says. At the community meeting, we had discussions on the mobile space. ... We have to remain relevant, and we have to become more proactive in addressing things, especially in emerging technologies, even though we dont want to set a standard for them because we dont want to minimize the evolution of that emerging space.
As Russo puts it, as long as there are static credit card numbers -- and, according to the card brands, thats going to be for a long time -- there will always be the need for the PCI Council.
Its not going away, no matter what we do or how we do it, he says. Theres always going to be the need for security. If you want to be in business, you have to include some plan for securing that cardholder data. This is what were trying to drive home.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
PCI Council Pegs Success On Community Involvement