Payment Card Industry meetings address future of card security

PCI Security Standards Council meetings review issues such as card fraud and encryption but overlook solutions

I recently attended the Payment Card Industry (PCI) Community meetings in Las Vegas, Nevada (Sept. 22-24, 2009), and came away with several observations that could have a significant impact on how banks, merchants and consumers handle credit and debit card fraud. For those of you not familiar with PCI Security Standards Council, the open global forum focuses on developing and implementing security standards for account data protection. The council provides guidelines on how business owners and financial institutions should protect personal information, and these guidelines serve as a mandatory requirement for organizations that process, store or transmit payment cardholder data.

Doing More than the Minimum

During the meeting, PCI Council addressed the need for the PCI community to think about overall security as opposed to just meeting the "check list" of PCI-Data Security Standard (DSS) requirements. This is an intriguing concept, as this wider view encourages people to consider security technologies and methods that go beyond just simply "protecting cardholder data." While some in the financial community may use PIN numbers and encryption as first and second layers of protection, we must remember that there is a third layer - which I feel is a critically important layer - that provides the missing piece for comprehensive data protection and transaction security. This powerful layer includes the important concept of dynamic card data authentication, but I am getting ahead of myself.

The next important take-away from the meeting was that the threat, sophistication, and frequency of cybercrimes on card payment data have soared to an all-time high. Even more concerning is that no end to such threats is in sight. According to new statistics presented by Christopher Novak, the managing principal of investigative response for Verizon, the breadth and depth of the problem is worsening. Novak reviewed data and information collected as part of an independent study commissioned by Verizon which analyzed businesses that suffered payment data breaches. The results of the study were sobering, as they clearly underscored the reasons why the payment community needs to remain vigilant and proactive in protecting cardholder data and securing payment transactions.

But not all the news stemming from the PCI Council meeting was bad. A subsequent presentation titled "Emerging Technologies Research" shed light on five technologies that may improve the ability for the PCI community to obtain compliance to PCI-DSS requirements, reduce fraud, or even negate the need for PCI requirements altogether.

The highlighted technologies included:

  • End-to-End Encryption;
  • Dynamic Payment Card Data;
  • Magnetic Stripe Imaging;
  • Tokenization; and
  • Virtual Terminals.

Granted, the Emerging Technology research presentation was cautiously (and appropriately) framed as being preliminary with the clear caveat that information may not be 100 percent accurate or complete. However, with that understanding, I found the following points from that presentation to be enlightening:

  • There is no singular "silver bullet" technology that will assist in reducing existing PCI compliance requirements or reduce fraud. A layered security approach is best. Each of the aforementioned technologies provide either compliance and/or enhanced security merits depending upon how they are implemented.
  • End-to-end encryption appears to show the most immediate promise to assist with compliance to the existing PCI requirements for "protection of cardholder data." The research suggests that this technology has the ability to completely remove card data out of the merchant environment, effectively maintaining security of cardholder data during storage, transmission, and processing. However, End-to-End Encryption has the significant inability to reduce fraud from counterfeit cards.
  • Dynamic payment card data technology appears to show the best long-term promise to improve overall security and to "make stolen card holder data useless" to criminals. Most importantly, the presentation suggested that this technology "has the potential to eventually eliminate the need for PCI-DSS."
  • Magnetic stripe imaging shows promise as a real-time fraud reduction technology that can detect and prevent the use of counterfeit magnetic stripe cards.
This content continues onto the next page...