Holding up his iPhone, Bob Russo, general manager of the PCI Council, declares, "This is the most insecure device in the world, and my life is on it."
The task of providing the right security layers for payment products, especially in the emerging field of mobile payments, is daunting for many banks. Russo and brand-new PCI Council Chairman Michael Mitchell, who is also vice president, global network operations at American Express Merchant Services, are stepping up the security best practices and services the Council offers its 650 financial services members.
"This is a fascinating time to be in the industry because of mobile technologies," Mitchell notes.
The PCI Council, Wakefield, Mass., is building assessment services that will help banks determine the worthiness of new payment and data security products. The group has put together a community of 250 Qualified Security Assessors who have been trained in its payment application data security standard and are authorized to vet and certify that solutions have met the requirements. "We're training as many people as want to be certified," says Russo. "Once a solution is assessed, they will verify that a certain piece of the solution is compliant." Certified companies will be listed on the PCI Council website.
Among other things, the PCI Council is assessing mobile card readers that target smaller retailers. "We look at the merchant at the flea market that's accepting cards with one of these devices — are they storing credit card information?" Russo asks.
PCI Council members have become more proactive of late, Mitchell says. "It used to be that security was important in reacting to something," he says. "But members of the Council say they'd rather pay for prevention than for a security breach."
Are banks doing enough to protect their customers' payment information? "That's a loaded question," Russo says. "Banks are probably the most heavily regulated industry out there. They're already doing a lot of things, probably more than most. The larger companies do 70-80% of what we're asking without looking at the standards, just as good business practice."
But there's a difference between complying with standards and providing watertight security, Russo notes. "When my insurance company asks me if I have deadbolts on my doors, I say yes," he says. "Do I lock my doors before I leave the house? That's a different story. Whenever there's a breach, it's a wake-up call, you see more diligence then."
It's the simple things people in many companies forget, Russo points out, like leaving an admin password on a computer instead of changing it, and leaving vulnerable old applications live on a publicly accessible website.
The Council has identified encryption as a priority. "Members see it as a way of reducing the scope of PCI assessments," Russo says. Other priorities for the group include e-commerce security, risk assessment and cloud computing security.