Payment card breaches continue to plague retail and online operations here in the United States, while in Europe and many Asian countries the situation is less a concern owing primarily to the use there of chip cards rather than the magnetic stripe technology ingrained into U.S. operations. But the chip is being rolled out here, albeit slowly and a good deal of resistance.
In this exclusive Q&A, Stephen W. Orfei, GM at PCI SSC (Payment Card Industry Security Standards Council) speaks with RSA's Rob Sadowski to examine the situation.
Rob Sadowski: We continue to see evidence in payment card data breaches that detection takes too long. What do you think is the root cause of this problem?
Stephen W. Orfei (left): There is no single answer that fits a root cause for all payment breaches. But if we look at the issue in human terms, the lack of ongoing security vigilance is a primary reason for lengthy detection times. One example is consistent monitoring and testing of security controls. Monitoring provides actionable data to flag and address threats as they occur in real time – not months later.
Sadowski: When you look across the ecosystem of organizations that are required to comply with PCI Standards, are there any approaches that stand out as better or worse in terms of their ability to detect attacks?
Orfei: I'm an optimist and I believe there is a silver lining in the high profile breaches that have occurred. Cybersecurity is now a top priority in the c-suite and is being discussed and reviewed in the board rooms. There is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business as usual. We know that to be effective, security has to be built into a company's DNA. Organizations are learning that security is a 24/7 responsibility.
Sadowski: We often hear that attackers are “extremely sophisticated” – are they always going to be too far ahead of organizations to detect to stop breaches from happening?
Orfei: These criminals are organized and persistent, but the reality is that most attacks are basic and preventable. Ninety nine percent of breaches in 2014 were caused by known vulnerabilities with fixable patches. But even in the most sophisticated attacks, hackers leave traces that can be detected and mitigated. So, no, we won't always be outpaced by criminals. There are many companies who keep ahead of the curve today. They don't get breached and stay out of the headlines so we don't hear about them.