Protecting Payments in 2015: Exclusive Q&A With PCI SSC’s Stephen Orfei
Stephen W. Orfei, General Manager for the PCI Security Standards Council possesses more than 20 years leading the payments industry. His mission is to create an open and collaborative environment to improve payments security. We discuss the challenges of not only securing payments, but also getting all stakeholders on board for the development and deployment of a global standard.
Kevin Xu: In this hyper-competitive industry how can the PCI SSC foster collaboration?
Stephen W. Orfei: Collaboration – cross-industry, public and private, and globally is critical. And we’ve made some significant inroads in the space working with policy makers and law enforcement to drive information sharing, industry and merchant associations, as well as he acquirer community. But we need to do more. We need to put the merchant and the acquiring community front and center, and we need to work with them on simplifying security to the extent that that is possible. And a lot of that involves speaking to the small and midsize business market, in language that they can understand and get their arms around: “Mr. Merchant, here’s what this means to you, here’s how the attack was perpetrated, here’s how you defend against this attack, here’s where you get your solution.”
So, much has been said about the EMV upgrade. How does PCI fit into that?
The EMV chip is a critical layer of security and it will absolutely deliver on its promise to button down the point of sale and defend against counterfeit, fraud, lost, and stolen card transactions. And we know this to be a fact. This isn’t new technology. It’s been in the European and Asia-Pacific theaters in excess of ten years. But what we’ve also seen in these regions is while chip technology drastically reduces fraud in the face to face environment, it doesn’t protect against attacks in the card-not-present space. So, once we roll out EMV here in the U.S., we can expect fraud will migrate to the card-not-present environment. Which is why PCI SSC advocates for multiple layers of security that address people, process, and technology. When EMV chip is combined with PCI Standards, then you really have a very formidable defense against hacks and attacks.
So, what are the steps to get the ball rolling on this?
Our requirements revolve around these twelve points, but you have to look at your entire card-holder data environment, understand what’s in scope, what’s in play, and then who has access to it, where do you authenticate, where can you encrypt, what are the different layers you can use EMV at the point-of-sale. Point-to-Point Encryption and tokenization very effectively takes the PAN (primary account number) out of the environment, which is ultimately the end game - devaluing the data so that it is useless in the hands of criminals. And we have three technologies that will deliver that endgame scenario if bundled and implemented securely: EMV chip at the point of sale, point-to-point encryption, and tokenization.
To help support this, we are publishing best practices around tokenization as well as updated requirements for point-to-point encryption solutions to help merchants adopt this technology in their payment security efforts.
What can you tell us about the recent high-profile data breaches?
These recent high-profile compromises we’ve seen in the marketplace have highlighted two things. One is the critical importance of payment security. We finally have the attention of the C-suites through the corporations throughout the U.S. and around the world. And they realize now that cybersecurity equals job security. And they’ve worked so hard to build out their branch, products, and services, and they can still find themselves on the front page the next day and no organization is immune. Secondly, these kinds of attacks are preventable. Despite what you see in the media claiming that the attack vectors have evolved and have become much more sophisticated, more often than not it comes down to security basics. We can defend against these attacks, which is why we’ve got to change the dialogue in the marketplace. We have to move from a compliance orientation to a prioritized, risk-based approach to security.
And security is not something you do once a month or once a year in a term and in an audit, but it needs to be part of a company’s DNA from the top down, 24/7. I mean, our adversaries are persistent, they’re intelligent, they’re skilled, and we need to step up our game and take them on. You’re working with some of the biggest players in payments along with the SMBs. How do you get all the stakeholders together in developing these industry standards and pushing to implement them?
So the Council is really unique in that we truly do speak to and interact with the entire payment ecosystem at a global level. We talk to the merchants, the acquirers, the processors, the technology vendors, the payment brands, the banks. They all have the opportunity to participate with us in developing our standards and why I believe they are the in the marketplace.
Our requirements revolve around these twelve points, but you have to look at your entire card-holder data environment, understand what’s in scope, what’s in play, and then who has access to it, where do you authenticate, where can you encrypt, what are the different layers you can use EMV at the point-of-sale. Point-to-Point encryption and tokenization very effectively takes the PAN (primary account number) out of the environment, which is ultimately the end game devaluing the data so that it is useless in the hands of criminals. And we have three technologies that will deliver that endgame scenario if bundled and implemented securely: EMV chip at the point of sale, point-to-point encryption, and tokenization.
To help support this, we are publishing best practices around tokenization as well as updated requirements for point-to-point encryption solutions to help merchants adopt this technology in their payment security efforts, reselling merchant payment solutions, a very critical stage for us and a huge vulnerability in the marketplace. Additionally, this week at TRANSACT15 we’ll be meeting with acquirers to collaborate on how to provide solutions to merchants that simplify security and reduce risk.
Who else are you working with outside of payments to develop these standards?
In addition to working with the payments community, we are also working globally with policymakers, the law enforcement community and other industry groups and associations to collaborate on improved payment security.
So, 2015 will probably be pretty huge in efforts in educating merchants, especially the SMB. What’s your elevator pitch to them to express the benefits of being PCI-compliant?
We understand that these merchants and especially smaller merchants continue to be highly vulnerable when it comes to cyberattacks and hacking. These businesses typically do not have the technical knowledge or resources to understand how to apply PCI Standards to protect payment data against these attacks. With this in mind, we have formed a small merchant taskforce and are working closely with merchant associations like the National Restaurant Association, Retail Industry Leaders Association and the Retail Solutions Providers Association to improve the understanding of payment security basics and available resources that can ease the process for these organizations. We have also increased our board members by six merchant positions so that the merchants are the largest number of participants in our board of advisors, and we’re working very closely with RSPA to train and certify the QIR (Qualified Integrator and Resellers).
What are some points that you’d like to make for the audience at ETA?
At TRANSACT15 this week, we’re thrilled to be meeting with acquirers and other industry stakeholders to advocate the importance of EMV chip, tokenization, and point-to-point encryption with PCI Standards as a layered approach to payment security. We’ll be hosting our first acquirer forum for the year alongsideTRANSACT15, to collaborate on payment security solutions for merchants; speaking on stage on lessons the U.S. can learn from EMV chip implementation in Europe and other regions; discussing our newly released tokenization best practices and the critical importance of taking a layered approach to security, as well as talking with merchants and the integrator and reseller community on our newly revised Qualified Integrator and Reseller (QIR) program to train and certify these companies on installing and reselling merchant payment solutions, a huge vulnerability in the marketplace. It’s my first time out at TRANSACT, so I’m looking forward to it. And I think we’re going to see a lot of collaboration and good information exchange and build out relationships. Let’s really stay focused on who the enemy is and the enemy is organized crime and hackers. Together we need to take them on. And that’s what we’re doing.