IMGCAP(1)]
This article appears in the May 21, 2009, edition of ISO&Agent Weekly.
Staying one step ahead of fraudsters remains a constant challenge for businesses, which must protect card numbers and consumer information from would-be data thieves.
The turbulent economy has helped increase creativity among potential data thieves, who have intensified their attacks on consumer and business databases, Ellen Richey, chief enterprise risk officer at Visa Inc., stated in March at the Visa Security Summit in Washington, D.C.
Visa's security experts have detected increases in the frequency and sophistication of attempted scams and attempted system intrusions, Richey said.
Improving data security for payments companies means building on the PCI standards and adding layers of security, such as data encryption, throughout the transaction, note key industry players. ISOs partnering with their merchant clients and educating them about data security and the need for multiple security measures also is an important aspect of thwarting thieves, they note.
Though the Payment Card Industry data-security standards are designed to help merchants, processors and others in the payments industry keep data secure, businesses must do more to outpace criminals, note industry insiders.
"Raising the bar" on security above the provisions outlined in the PCI standards can help the industry increase safety, agrees Nick Holland, senior analyst at Aite Group LLC, a Boston-based research and advisory firm.
Layer On Security
The PCI standards represents only one aspect of security for payments-industry companies, agree industry insiders. Companies should layer additional security technologies and practices on top of them to help repel fraudsters' efforts, state industry insiders.
The PCI Data Security Standard and the other standards governed by the Payment Card Industry Security Standards Council are good programming and information-technology practices, says Ron Greenberg, chief information officer of PowerPay LLC, a Portland, Maine-based ISO and merchant-service provider. "I don't think PCI is going away. The question is what to lay on top of it," he says.
Indeed, the PCI standards are "not meant to be exhaustive," said Visa's Richey. "The standards provide a strong foundation, and the best strategies build on that foundation to create a multilayered and evolving defense."
A panacea for data security will never exist because it is impossible to keep data 100% safe from criminals, says Cliff Gray, an associate and merchant-processing and product-services expert with The Strawhecker Group, an Omaha, Neb.-based consulting firm.
Each layer of security a company potentially may add, such as transaction encryption, is "not the entire solution" by itself, agrees Bob Russo, general manager of the Payment Card Industry Security Standards Council. Layering the security options creates a more complete line of defense, he says.
The PCI standards are useful tools, but they are publicly available, notes Michael Petitti, chief marketing officer for Trustwave, a Chicago-based data-security company. "My company, an ISO and a merchant all have access to the same information," he says. "The people trying to steal cardholder data also have the information."
Because fraudsters constantly are attempting to defeat the industry's security practices, organizations should implement security measures beyond PCI to enhance the safety of cardholder data, says Petitti.
"As criminals get more sophisticated, we must also get more creative in building multiple layers of security—in technological innovations, in partnerships, in business processes—to ensure that we stay one step ahead," said Richey.
Implementation Challenges
Additional security measures can help minimize the effectiveness of would-be data thieves, but companies likely will not find implementing them easy or inexpensive, note industry insiders.
Complete encryption throughout the industry would help keep data safe, but "is it feasible?" asks Holland. "It would mean upgrading every payment terminal everywhere," he says.
Bringing chip-and-PIN technology to the United States similarly would require companies to expend time and funds, says Gray. "It's the right solution for the big picture, but it will take a lot of years" and funds because the infrastructure is not in place, he says.
To accept chip-enabled cards, merchants must update their payment terminals, and issuers must prepare to distribute the cards to consumers. Widespread implementation of additional security measures also would require merchant education, note industry insiders.
Many merchants, especially smaller ones, do not have the information-technology sophistication needed to add multiple layers of security, says Gray.
ISOs can play a role by educating their merchant clients, especially because their agents are in contact with many smaller retailers, says Gray. "All of those little guys are a much more vulnerable group than the big guys," he says.
The industry must increase its "presence as educators and advocates for data security," Visa's Richey advised. "We must be more efficient, more vigilant and more convincing than ever to ensure that critical investments in security continue to be made."
