The Standards Blog

How Safe is your Credit/Debit Card?

General News

PCI Security Standards CouncilCybersecurity is an increasingly frequent topic in the news, and this week brought word of the indictment of someone who must be the leading contender for the title, Master Cybercriminal of All Time (Payment Card Fraud Division):  Albert Gonzalez.  More recent press reports point to additional conspirators who Gonzalez's attorney contends were there real masterminds. Top honors aside, government prosecutors contend that the team are responsible for all of the most high profile data breaches publicized to date: Heartland, Hannaford, TJX, and more - gaining access to information relating to an astonishing 130 million credit and debit cards or more.

With so many breaches in the news, you might understandably be wondering how safe your own financial information is, and whether anyone is doing anything to protect you.  Happily, the answer is "yes," and as it happens, the organization that has been tackling this problem is a client of mine, PCI Security Standards Council, which creates and enables a global, end to end ecosystem of standards, certifications, auditors and more to secure payment card data from the moment that your card gets swiped on a reader to the time it reaches its ultimate destination. 

PCI Security Standards CouncilI dedicated the last issue of Standards Today to the topic of cybersecurity, and included an in-depth interview with PCI SSC's General Manager, Bob Russo, who should make you feel better about the security of your own financial information - at least to the extent that those that handle your information comply with PCI SSC standards.  Moreover, the holistic approach that PCI SSC has adopted can, and hopefully will, serve as a model for protecting other areas of your personal, private information as well - such as the  electronic health records that care providers will now need to securely create, store, and share.

The following is taken from the introduction to that interview, and will give you an overview of what PCI SSC is all about.  You can find the complete interview here.

Enabling an Ecosystem of Security:

An Interview with PCI SSC's Bob Russo

As anyone who follows the news is aware, data breaches involving credit and debit card information have been very much in the public eye. In the cases that have received the most publicity, information relating to over 45 million cards was compromised by the breach of retailer TJ Maxx, and when malware was installed on a server of card transaction processor Heartland Payment Systems, the number of cards compromised may have exceeded 100 million. And indeed, with millions of retail outlets taking payments via credit and debit cards, the points of opportunity for hackers to access card data in batches large and small are inevitably great. The only way to prevent such breaches is for retailers, and those upstream from them (e.g., banks, processors and card issuers), to exercise great care and constant vigilance to guard against intrusion.

But what practices are most effective, and how much security is enough? These are difficult questions, given that the answer must address the vulnerabilities of a network that includes an almost infinite number of data entry devices, a global communications network administered by many different companies, processing and database software from multiple vendors, transaction processing service companies, card issuing banks throughout the world and multiple payment card brands. Achieving security in a manner that is consistent is also vital, so that merchants are not subject to radically different requirements imposed by each payment card brand with whom they do business. Clearly, then, there is a need for a central, collaborative organization that can set the bar for security for each primary area of vulnerability in the payment card ecosystem, define best practices, certify compliance efforts, and strive for consistency, all while remaining aware of the realities of the marketplace, and costs of compliance. In other words, a standards organization.

In order to achieve such a consistent, effective security environment, five of the major payment brands (American Express, Discover Financial, JCB, MasterCard Worldwide and Visa) came together in 2006 to rationalize and standardize their evolving, individual programs and to collaborate to develop new standards as needed to address new cybersecurity threats. The organization they created is called the PCI (for payment card industry) Security Standards Council, or PCI SSC. Today, more than 500 stakeholders in the global payment card ecosystem (merchants, banks, government and others) have joined the effort as Participating Organizations.

Not long after its launch, PCI SSC hired Bob Russo as its first General Manager. Russo came to the job with 25 years of security industry experience, in the course of which he had been a founder or senior management member of many service, software development and compliance companies. As General Manager of the Council, Russo is responsible for executing the Council's policies and achieving its goals. More specifically, he oversees the Council's training, testing and certification programs, supports the certification process, coordinates research and analysis, solicits feedback from the vendor and merchant communities, and drives recruitment of stakeholders as Participating Organizations in the Council.

In this detailed interview, Bob Russo explains how PCI SSC came into existence, the industry challenges it was formed to address, the unique infrastructure that it has helped create, and how the Council is helping the payment card ecosystem to work together to safeguard payment card and personal information. What he has to share is useful to provide insight into the challenges of protecting such information from fraud. More broadly, though, the standards that the Council develops and the infrastructure that it supports provide an example of the type of comprehensive, global risk management regime that can be emulated in many other settings where equivalent amounts of personal information will become vulnerable to breach and misuse, from open government to electronic health records. Unless similar or equivalent organizations come into existence in these areas, the consequences may be regrettable.