Payment card breaches continue to plague retail and online operations here in the United States, while in Europe and many Asian countries the situation is less a concern owing primarily to the use there of chip cards rather than the magnetic stripe technology ingrained into U.S. operations. But the chip is being rolled out here, albeit slowly and a good deal of resistance.
In this exclusive Q&A, Stephen W. Orfei, GM at PCI SSC (Payment Card Industry Security Standards Council) speaks with RSA's Rob Sadowski to examine the situation.
Rob Sadowski: We continue to see evidence in payment card data breaches that detection takes too long. What do you think is the root cause of this problem?
Stephen W. Orfei (left): There is no single answer that fits a root cause for all payment breaches. But if we look at the issue in human terms, the lack of ongoing security vigilance is a primary reason for lengthy detection times. One example is consistent monitoring and testing of security controls. Monitoring provides actionable data to flag and address threats as they occur in real time – not months later.
Sadowski: When you look across the ecosystem of organizations that are required to comply with PCI Standards, are there any approaches that stand out as better or worse in terms of their ability to detect attacks?
Orfei: I'm an optimist and I believe there is a silver lining in the high profile breaches that have occurred. Cybersecurity is now a top priority in the c-suite and is being discussed and reviewed in the board rooms. There is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business as usual. We know that to be effective, security has to be built into a company's DNA. Organizations are learning that security is a 24/7 responsibility.
Sadowski: We often hear that attackers are “extremely sophisticated” – are they always going to be too far ahead of organizations to detect to stop breaches from happening?
Orfei: These criminals are organized and persistent, but the reality is that most attacks are basic and preventable. Ninety nine percent of breaches in 2014 were caused by known vulnerabilities with fixable patches. But even in the most sophisticated attacks, hackers leave traces that can be detected and mitigated. So, no, we won't always be outpaced by criminals. There are many companies who keep ahead of the curve today. They don't get breached and stay out of the headlines so we don't hear about them.
Sadowski: How important do you think threat intelligence sharing is for detection, and what is the PCI SSC doing to foster this?
Orfei: Information sharing is vital, and it always will be. Cybersecurity is like any other kind of battlefield. The good guys have to work together and share actionable intelligence to help companies defend themselves. The Council is working closely with global law enforcement and intelligence organizations, forensic investigators, FS-ISAC, legislators and payment brands to foster communication across industry and across borders. It will always be a core tenet of the PCI Council's work. The next step in the process, and we are moving towards it now, is to translate this intelligence into layman's terms. To put out actionable intelligence for the SMB market. The goal is to preempt the bad guys and discern when to sound the alarm. The cooperation I now see between the public and private sectors is in encouraging.
Sadowski (left): Recent RSA research found that more than 30% of organizations don't have a formal response plan. What's your sense on organizations who handle payment card data, if they get better at detection, will they be able to respond appropriately to prevent breaches?
Orfei: Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate compromise, but only if you invest in all three and get the human elements right. How well a company responds to attack will come down to investments in technology, training and partnerships they put into it. You can't plan for everything. It's too expensive. The right focus is balanced – prevention, detection and response, with a focus on the highest risks you face.
Sadowski: While improved detection is important, what else should organizations who handle payment card information be doing to make themselves more resistant to attacks?
Orfei: Protecting against today's attacks requires layered security. You need strong defenses, the ability to detect when those defenses are failing, and to respond and react quickly to mitigate compromise. This has to go hand-in-hand with technologies such as EMV chip, point-to-point-encryption and tokenization that devalue the data and make it useless in the hands of organized criminals, state funded actors and rogue states. You'll see a lot more about devaluing data across the payments ecosystem in the coming year.
The PCI Security Standards Council is an open global forum, launched in 2006, responsible for the development, management, education and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.