PCI Council's New Manager Pushes 'Security in a Box' Concept

It's time for the Payment Card Industry Security Standards Council to work with acquirers in providing merchants with "PCI in a box," said Stephen Orfei, the council's new general manager.

The PCI council maintains the PCI data security standards, which describe how companies that handle payment card data must protect it. Orfei is taking over PCI's leadership role for retiring general manager Bob Russo. Orfei presided over his first PCI community meetings in Orlando, Fla., last week, and will continue to work the next three months alongside Russo, who will depart at the end of the year.

Orfei wants to make it easier for merchants to comply with data security standards while continuing to advance efforts to de-value data.

"We need to be much more merchant-focused and put them front and center," Orfei said.

To emphasize that focus, the council needs to "flip the dialogue" from one of a compliance-oriented organization to one stressing prioritized risk-based assessments, Orfei added.

"The end game is to de-value the data to the point where it is useless in the hands of organized crime," Orfei said. "We are in a much better place to do that with emerging technologies and that's what we want to drive for."

Part of that message will come as merchants and payments networks adopt EMV chip-based cards, tokenization and point-to-point encryption technology, as well as mobile payments.

The PCI council has nothing to do with how the card brands deploy tokenization, but it realizes it has to be a leader in the process of adopting the technology, Orfei said.

"The council will work with EMVCo [the EMV standards body] to educate the marketplace on multiple levels and provide thought leadership," Orfei added.

The PCI council will conduct its own tokenization study to help develop best practices and guidance, Orfei said. "We want to be forward-thinking on this and share irrefutable data about tokenization."

The introduction last week of the Apple Pay mobile wallet has many in the industry excited about the prospects it creates for growth in mobile payments and security, Orfei said.

"We haven't looked under the hood of Apple Pay because it is so early on, but we are excited that it appears to be a real proper implementation of tokenization," Orfei said.  

Today, larger merchants are attentive to PCI compliance and tokenization, but smaller merchants remain in need of education, he said.

"We are very focused on getting the small and mid-size businesses to get their arms wrapped around PCI," Orfei added. "The guys trying to get pizzas out the door or take orders online; I don't expect them to understand security terminology or IT terminology."

In acknowledging that PCI has come under fire as data breaches mount, Orfei said no business is immune from "hack and attack."

But guidance and vigilance in security can go a long way to fight back against fraudsters, he said.

Orfei has more than 20 years of experience in payments, having previously worked as a security consultant at CA Technologies and as a senior vice president in emerging payments for MasterCard.