The general manager of the Payment Council Industry Security Standards Council discusses what he plans to tell Congress about payment security.
The recent data breach
at retailer Target—which left 70 million Americans and their personal information at risk—is receiving Congress' attention this week in a number of hearings on data security. One of the participants in those hearings is Bob Russo, general manager of the Payment Council Industry Security Standards Council (PCI SSC), which oversees the PCI Data Security Standard (PCI DSS) for retailers and payment systems.
Russo is set to testify before the House Energy and Commerce committee on Wed. Feb. 5, while Russo's counterpart, Troy Leach, CTO of PCI SSC, is testifying before the Senate banking committee today. Both Leach and Russo have testified before Congress in the past about payment security and the work of PCI, Russo told eWEEK
The recent retail breaches that have been in the news highlight the need for a multi-layered approach to security, which is what the PCI DSS standard promises, Russo said. He stressed, however, that technology alone is not the solution. There have been some discussions that the use of EMV chip technology on credit cards would have prevented the Target data breach, since U.S. retailers largely only support magnetic-stripe-based cards.
"Security is about people, process and technology," Russo said. "We think that PCI is best positioned to drive this message, and we have a global body that has been doing this for the last seven and a half years."
The PCI standards have evolved over the years as market demands dictate. The U.S. government wants to do its part to help prevent future retail breaches, and the best place for the government to help is by putting its resources into law enforcement and information sharing, Russo said.
The U.S. government today does not have any direct involvement in the PCI SSC, though Russo noted that the PCI Council does collaborate with the government at every chance it can get.
Regarding the recent spate of retail breaches, Russo said that it's too early to tell what actually went wrong. Major U.S retailers are typically compliant with PCI DSS, which could lead to speculation that perhaps the standard is missing something that enabled the breaches.
"It's very hard to figure out what's going on, but if we go along the lines that it was some form of point-of-sale malware, there are a number of things in the PCI standard today to prevent malware from getting in," Russo said.
Once forensic information into the Target breach is available, understanding how the malware got into the system will be an important piece of the puzzle.
"The standard tells you, that you need to put a lock on the door, but the people part of the equation means it's up to you to actually lock the door," Russo said.
Once malware gets in, the PCI standards include provisions for monitoring the organization to see what's going on, Russo said.
Overall, Russo stressed that, as far as he is aware, the PCI standard and its approach of emphasizing people, process and technology is sufficient to limit the risks for retail payment systems.
"My message to Congress is that up until now there has been a lot of 'chicken little the sky is falling,' but until we actually see what is going on, there is no way to make a determination," Russo said.
Though the current payment retail system is a very complex environment, overall Russo said that it is his firm conviction that the PCI standards provide a really solid baseline for security. Ultimately, the message that Russo expects will emerge is that PCI compliance will be part of 'business-as-usual' operations and not a once-in-a-year compliance exercise. It's a message that is also a key part of the new PCI DSS 3.0 standard
, which went into effect Jan. 1.
While Russo is confident that PCI itself is a strong baseline for security, he's eager to see real detailed forensic information at it emerges from the Target breach.
"My gut feeling is that there isn't anything missing in the PCI standard, but if there is something that is missing in the standard, then we want to know, which is why we will be urging the government to collaborate on information sharing and law enforcement," Russo said. "Let's not forget who the bad guy is here; it's not the merchant and it's not PCI; it's the person somewhere in the world that hacked into the system and stole all the information."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.