A few weeks ago I had a chance to attend the PCI Security Standards Council’s 2014 North American Community Meeting in Orlando, Florida. (PCI is shorthand for the Payment Card Industry Data Security Standard, a guideline to help organizations that process, store or transmit card payments.) Two highlights for me were presentations by the PCI’s new general manager Stephen W. Orfei, and another by Adm. James Stavridis, 16th Supreme Allied Commander of NATO.
Before introducing Orfei, out-going PCI GM Bob Russo noted that when American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. founded PCI in 2006, there were 12 assessors (AKA QSAs). Today there are 3,000. About 300 people, he said, attended the first PCI event. This year there were 1,200—which is all to say that concerns about credit card security continue to spread.
After his introduction, Orfei began his section of the “Securing the Future of Payments Together” presentation. He outlined seven technologies that he thinks will have an impact on PCI in the years to come. They are:
- Mobile Payments: Apple announced on Sept. 9 that iPhone 6 devices will support mobile payments. It joins PayPal, Google and the mobile carriers that already offer their own mobile payment solutions. Soon mobile payment will be a part of ordinary life in the U.S. (as it has been for years in other countries).
- Tokenization: Along with malware training and guidance, biometrics, and point-to-point encryption, the use of tokens is one of many technologies being used to devalue data.
- EMV: “Europay, MasterCard and Visa” is a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards"), IC card-capable point of sale (POS) terminals, and automated teller machines (ATMs) in order to authenticate credit and debit card transactions. Orfei said that EMV is valuable technology, but “no silver bullet.” The idea behind EMV’s “chip and PIN” approach is that consumers would have a chip in their credit card and a PIN number that activates the card or makes it valid. The problem is that the card data might not be encrypted and could itself be breached. But “chip and pin” does make it harder to counterfeit credit cards. And since data thieves always take the path of least resistance, the highest fraud danger would then move to…
- Card Not Present: Orfei says that by 2018, 25% of all transactions will be done in the card-not-present environment—that as we button down POS, fraud attacks will migrate to CNP. Merchant Account Forum defines a card-not-present as “transactions that allow [consumers] to purchase goods and services without having to be physically present at the point-of-sale… transactions that can take place anywhere in the world, any time, regardless of whether or not the cardholder is physically present and signing a sales slip.”
- Cybersecurity and Government: Not a “technology” per se but, according to Orfei, there needs to be a global focus on the means and methods for stopping credit fraud in all of its many forms.
- Global Partnerships: Orfei was talking about partnerships not just between industries, but among PCI members, merchants, vendors, service providers and the myriad of government security focus organizations. As Orfei said, improving security is “something we can do much better when we work together.”
- Center of Excellence: Finally, Orfei envisages this as a kind of “one-stop PCI shop” where subject matter experts could educate merchants, conduct research, pass on best practices, and provide testing labs. Vendors and service providers would participate and provide the subject matter experts.
Describing a kind of one-two punch (as opposed to a “one-stop shop”), Orfei said that while companies must take steps to devalue data, they also need to build security into their corporate cultures. And that is where Cradlepoint can help.