The PCI Security Standards North America meeting in Las Vegas last week was one of the best-attended PCI events I can recall, with around 1,400 delegates. This says a lot about the state of the industry and the growing interest in this area.
One possible explanation for the high interest is that fraud is moving from the physical to the online world. The US is only beginning to adopt chip and PIN technology, and there has been a lot of focus about how this is forcing fraudsters to go after online targets instead. Our experience from Europe is that the introduction of chip and PIN technology resulted in a significant drop in face-to-face fraud.
Another driver for the high attendance might be the number of recent high-profile hacks linked to point of sale devices in the hospitality industry. Last month, HEI Hotels & Resorts, which operates the Marriott, Westin and Sheraton brands, had its payment systems breached. Even the breach at the restaurant operator PF Chang in 2014 continues to have repercussions. In June, the news broke that the company’s cyber insurance policy didn’t cover almost $2 million in fees and assessments following the breach that exposed around 60,000 customer records.
(I should point out here that PCI-DSS doesn’t cover the point of sale device itself – there are nine frameworks including the payment application data security standard [PADSS], and then on top of that you have PDSDSS which covers the physical security of the device and whether it’s possible to tamper with the device itself or change it to collect customer information.)
In our experience, many POS systems aren’t owned by the merchant but by a third party – usually either the acquiring bank or an external service provider. The more you outsource, the more you trust ‘strangers’ with your data – even though a fundamental principle of data protection is that it remains your responsibility to manage it. If we link this trend to the requirements that will come into force under EU GDPR, it’s not a good place to be. Now you have a situation where a data processor that is external to your organisation, is supposed to protect your customer payment information but could in fact be putting this data at risk.
As payment card fraud moves online, attackers see payment card data as low-hanging fruit. If the transaction is encrypted, they try to capture customer information at the point of use. The PCI meeting heard much discussion about the need to devalue data by encrypting and tokenising it, so that even if criminals do get their hands on it, the information is no good to them. Another interesting development that emerged at the meeting was how the industry is moving towards dynamic credit card numbers, which are essentially the equivalent of a one-time password.
I think this combination of technology capability and regulation provides a great opportunity for merchants to regain control of their data, to put proper governance in place and to manage third parties proactively. From a technology perspective, there is a cost involved, because those solutions are not cheap, but there are a lot of good options on the market that allow you to do it in the right way. They will allow merchants to show regulators that they know where the data is, how they classify it and most importantly to demonstrate that they are managing the risk and the attack surface. As long as you manage the risk and the attack surface, you’re in a stronger position from a compliance perspective.
Overall, my thoughts from the PCI Security Standards Las Vegas meeting are that technology advances are helping to reduce the scope of PCI all the time. In the future, merchants will get a POS device supplied by an acquiring bank that will encrypt all data from the device and tokenise it, so all that remains for the merchant to do is handle policies, procedures and training. There are positive developments, because they will make it easier to comply with the regulations.
Vigitrust sponsored the Las Vegas event and we’re also sponsoring the upcoming PCI Europe Community Meeting in Edinburgh from 18-20 October, and the Asia-Pacific Community Meeting which takes place in Singapore on 17-18 November. We hope to see you there, and we plan to discuss some of the talking points on the blog too.