PCI DSS is working, but there are challenges to overcome
by Jeremy King - European Director, PCI Security Standards Council - Monday, 12 December 2011.
Recent figures from the UK Cards Association showed that banking industry initiatives, including PCI have been successful in decreasing the volume of card and bank account fraud. Payment card fraud losses in 2010 reached their lowest levels since 2000, and have made significant improvement from their all-time high just three years ago in 2008. Overall, they suggested that total fraud losses on UK cards fell by 17 percent alone over the preceding year.

Data protection laws in Europe are getting tougher, with Spain, Italy and Germany now requiring companies to notify customers of a privacy breach. Additionally, as companies take a broader look at business processes in the data-security context, PCI DSS is proving successful as a strong foundation for overall data security, with research pointing to the PCI Standards as effective in efforts to satisfy the European Data Protection Directive.

While significant progress has been made in the reduction of card fraud in Europe, more can be done. The unfortunate news is that there was still more than 417.5 million EUR in UK card fraud in 2010 Ė well over 1 million EUR per day! We also just saw a relatively sophisticated attack plot here in Spain, where an attack on mobile banking applications could also have spread to include card fraud. And while last year we saw a drop in fraud losses and a decline in breached data records, where will we end up as we enter into 2012?

The series of global, massive data breaches that have plagued organizations just this year proves that organizations involved in the payment chain are still being targeted and must take direct action to place security soundly into their day-to-day business efforts.

Although many organizations have tried to combat fraud and protect sensitive information through technology or processes, there is a third pillar - people - that is essential in order to be truly successful at securing card data. We can't simply rely on a single technology to solve the problems of data breaches in today's threat landscape. We need to continually examine the people, processes and technology we have in place to prevent future card fraud.

Some of the basic steps to reducing fraud combine these elements.

We should be looking to educate our people, then develop security procedures, strategy and implement technologies designed to reduce scope and reduce risk. Only through this will we be able to address the next critical juncture of payments security, especially in new payment technology areas such as mobile security, where everyone seems to want to jump to.

Here are a few of the tips I provide organisations when we are talking about moving toward more secure payment transactions, and which Iíll be discussing in more detail with security professionals at the annual ISACA Information Security and Risk Management (ISRM) Europe Conference in Barcelona, Spain on 14-16 November.

If you don't need it, don't store it!

Ok, I agree this can seem a bit like an oversimplification, but it works on so many different levels, and to be honest, this is the basis for many talked about technologies such as encryption and tokenization. Do everything you can to eliminate data. Train your people, create the processes and then look at the appropriate technologies that help you in this effort. In many cases you can replace the data that you currently store or transmit by encrypting or tokenizing the data. This will help reduce the scope of your PCI assessment and simplify your compliance efforts.

Think security, not compliance - Thatís basically what the first tip is about as well, but this goes further. A Report on Compliance is a piece of paper; a valuable one to many organisations, but perhaps less valuable than the peace of mind that you have when you are prepared for ongoing security.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th