Wednesday was a busy day for me at the Community meeting. In between sessions, I spent thirty minutes with Eduardo Perez, head of global payment system security, Tia Ilori, business leader, U.S. payment system risk, and Ingrid Beierly, business leader, fraud control & investigations from Visa. Visa is the largest payment brand and creator of the Cardholder Information Security Program whose content drove the majority of what we see in the PCI DSS today.
We started by discussing the fraud rates and how PCI DSS is helping to keep fraud under control. According to Perez, fraud rates are very low and fairly stable—around 5%. So PCI has to be doing SOME good if fraud rates are not spiraling out of control. In fact, probably one of the most remarkable stats you can look at is the sheer size and scale of Visa’s network. They service over 30 Million acceptance locations with 21,000 issuers globally. Lots and lots of people, but very little fraud in the system.
“For the most part, people are doing what they are supposed to do to protect that data,” said Perez.
So if fraud is so low, where are breaches coming from?
“Merchants are no longer storing prohibited data on hard disks, unfortunately the attack vector has morphed into using more malicious software to steal cardholder data in real time,” said Beierly. I can remember having serious arguments with developers saying that this type of attack was not only impractical, but impossible. Looks like we’re in the future now Toto.
But even with advanced attacks happening today, a lack of basic security holes still cause a significant number of breaches. “[The] number one thing we are seeing is remote access” as a compromise attack vector, said Beierly. Companies wanting to prevent the drive-by breach should ensure they have addressed basic security controls like changing system defaults, resetting blank passwords, fixing open remote access, and locking down their wireless networks. If you are in the hospitality or restaurant business, you are an especially juicy target with poorly secured integrated point of sale systems. If you are a company that runs one, do yourself a favor and ensure it is secured.
But wait, I asked, with the US Payment Application Security Mandate now one year past the deadline for Phase 5, why are we still seeing applications that appear to not comply with PA-DSS involved in compromises? As most of you know, just because a payment application is listed on the PA-DSS list of approved applications doesn’t mean it comes that way by default, or could be configured in a way that would not comply with PA-DSS.
Breaches also happen with a “poor implementation of the POS even if it is a PA-DSS validated application,” said Ilori. Whether it is a provider offering a managed POS system choosing to remotely access these devices insecurely or just someone unfamiliar with how to deploy a payment application in a secure way, companies are putting unwitting merchants at severe financial risk. “In many cases they are using a ‘validated application’ but it had not been properly installed and configured,” said Perez.
But like my interview with Bob, Troy, and Jeremy highlighted, the focus is now on small business. Visa recently did a big awareness push to large franchise businesses by sending letters to CEOs of the franchisors to help spread the word.
Perez said Visa shares information with franchisors when they notice trends among their franchisees. When they do identify a compromise trend at a group of franchisees, they work with the parent company to protect the remaining entities that have not been breached. It’s a reactive measure with a proactive response to slow or halt the spread of the breach.
I didn’t ask about the TIP program, it’s been covered here, here, here, here, and here (this last link has the final word). But when I talked about global trends associated with PCI Compliance, Perez reminded me that “a high percentage of the overall number of compromises are here in the US.”
In Perez’s address on the State of PCI at the meeting, he stressed that security in the system is the most important focus that stakeholders can take as they look ahead to new and exciting technologies and business models. Compliance with PCI has been painful for many companies, but most are better off after going through it whether they admit it or not.
With security as a major focus, can we finally get compliance right? Can we further protect our interests in the financial system and continue to reduce fraud? Will it lead to a more efficient payment system with lower interchange and fees? We should revisit this post in five and ten years to see what it looks like then.
Until that point, let me leave you with something that Perez said to me during the interview as well as to the entire thousand-strong crowd in Scottsdale. “Security will be one of the most important pillars we need to support the evolution of payments.”
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?