Visa risk chief: Reports of PCI's death exaggerated

Share this article:
Visa's top risk official on Thursday defended payment industry security guidelines, but also called on organizations to invest in constant monitoring, information sharing and new technology -- while not letting the sour economy get in the way of security spending.

"Recent rumblings about the demise of the [Payment Card Industry Data Security Standard] are not only premature, they are dangerous to long-term security," Ellen Richey, Visa's chief enterprise risk officer, said during her keynote address at the Visa Security Summit in Washington, D.C. "Despite recent negative commentary, the PCI DSS remains an effective security tool when implemented properly. Simply put, it is the best defense against data theft available today."

At the start of her talk, Richey referred to Heartland Payment Systems, which disclosed a monster breach in January. She told attendees to consider this an exception, not the rule.

The New Jersey payment processor had been validated as PCI DSS-compliant when hackers installed data-sniffing malware on the company's internal network. This resulted in some industry observers questioning the effectiveness of the guidelines. Visa later pulled Heartland from its list of PCI DSS-approved service providers.

"I'm sure everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," she said, according to a transcript of her speech. "The fact is, it never should have...As we've all read, [Heartland] had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack."

Richey told the audience that the country's current dismal financial state may pose more of a threat to payment security than hackers. She called on the audience to "increase our presence as educators and advocates for data security."

"If we cannot convey the urgent need to maintain investments in payment security -- particularly in today's environment -- years of progress in building consumer trust could slip through our fingers," she said.

In addition, she urged businesses to provide ways that customers can protect themselves from fraud. Law enforcement, processors, legislators and merchants, meanwhile, must increase their levels of information sharing.

Finally, Richey said investment must be made in new payment authentication measures, such as chip technology, so that the data criminals may steal becomes worthless. She mentioned measures being taken at financial institutions such as Fifth Third Bank, which uses unique magnetic stripes that can be used to verify the identity of the card being used.

Avivah Litan, vice president and distinguished analyst at Gartner, said it was important to hear that Richey realizes the challenge of securing data will require new technology and an upgrade of the payment system to include things such as end-to-end encryption.

"I was glad to see Visa so progressive to admit they have to move beyond the PCI security standard, even though she didn't say that explicitly," Litan, who hosted a panel at the event, told Thursday.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.