Visa risk chief: Reports of PCI's death exaggerated

Share this article:
Visa's top risk official on Thursday defended payment industry security guidelines, but also called on organizations to invest in constant monitoring, information sharing and new technology -- while not letting the sour economy get in the way of security spending.

"Recent rumblings about the demise of the [Payment Card Industry Data Security Standard] are not only premature, they are dangerous to long-term security," Ellen Richey, Visa's chief enterprise risk officer, said during her keynote address at the Visa Security Summit in Washington, D.C. "Despite recent negative commentary, the PCI DSS remains an effective security tool when implemented properly. Simply put, it is the best defense against data theft available today."

At the start of her talk, Richey referred to Heartland Payment Systems, which disclosed a monster breach in January. She told attendees to consider this an exception, not the rule.

The New Jersey payment processor had been validated as PCI DSS-compliant when hackers installed data-sniffing malware on the company's internal network. This resulted in some industry observers questioning the effectiveness of the guidelines. Visa later pulled Heartland from its list of PCI DSS-approved service providers.

"I'm sure everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," she said, according to a transcript of her speech. "The fact is, it never should have...As we've all read, [Heartland] had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack."

Richey told the audience that the country's current dismal financial state may pose more of a threat to payment security than hackers. She called on the audience to "increase our presence as educators and advocates for data security."

"If we cannot convey the urgent need to maintain investments in payment security -- particularly in today's environment -- years of progress in building consumer trust could slip through our fingers," she said.

In addition, she urged businesses to provide ways that customers can protect themselves from fraud. Law enforcement, processors, legislators and merchants, meanwhile, must increase their levels of information sharing.

Finally, Richey said investment must be made in new payment authentication measures, such as chip technology, so that the data criminals may steal becomes worthless. She mentioned measures being taken at financial institutions such as Fifth Third Bank, which uses unique magnetic stripes that can be used to verify the identity of the card being used.

Avivah Litan, vice president and distinguished analyst at Gartner, said it was important to hear that Richey realizes the challenge of securing data will require new technology and an upgrade of the payment system to include things such as end-to-end encryption.

"I was glad to see Visa so progressive to admit they have to move beyond the PCI security standard, even though she didn't say that explicitly," Litan, who hosted a panel at the event, told Thursday.
Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.