Q&A: The importance of a risk-based approach to payment card security

The Payment Card Industry Data Security Standard (PCI DSS) has done much to cut credit card fraud by ensuring that businesses comply with the rules.

But Charles White founder and chief executive of UK-based risk consultancy Information Risk Management (IRM) argues that it has now become little more than a tick box activity which enterprises go through to gain accreditation.

Charles spoke to us about PCI DSS, how businesses need to be doing more to improve their security profiles, and why there are tough times ahead.

Why do you feel that the way PCI DSS operates needs to change?

When PCI DSS was first introduced there were breaches happening by the bucket load, not only in small merchants but big ones too. This was because people hadn't paid enough attention to security, so it wasn't unreasonable to give them a check list of things to do. It was a great way to start them thinking about security.

In more recent years though the credit card companies have really satisfactorily dealt with the problem. The number of breaches that occur in the level one and level two service provider areas are significantly reduced, you would almost have to be negligent were you to lose huge volumes of credit card data as a level one merchant. Breaches do still occur in level four merchants but for the credit card companies the amount of data lost here is almost negligible in comparison to that in level one.

The credit card companies have really tightened up the amount of fraud and lost data through credit cards, not least because in Europe we adopted chip and pin. That is still not adopted in the US, which is why there is still significant fraud there, the technology, although available, is not deployed or used.

What needs to be done to make it more appropriate to today's world?

Because we now have companies that are much more aware of the issues around cyber security and they're looking at applying that security across the organisation, not just to credit card data, we're looking at frameworks that don't necessarily now correlate to PCI.

This is because PCI is a checklist and most other frameworks ask you to take a risk-based approach to deploying security. This involves identifying critical assets and making a judgement call on how material those assets are, the quantum of data in them, the value of that data, then applying appropriate controls to protect it.

Adopting a risk-based approach may make compliance more difficult, but compliance shouldn't be the end game, it should be about understanding the inherent risk and accepting that the business is prepared for it.

I don't know of a major UK retailer that isn't now using a risk-based system which means that PCI and the PCI Council are now somewhat behind the curve and the direction the market is taking. In the next three or four years the Council will need to adapt their standards to reflect this new approach.

In Europe chip and pin has reduced fraud but doesn't it just shift it to other channels like online and card not present?

Chip and pin only deals with the face-to-face environment, eCommerce and call centers and mail order/telephone order environments are not affected by it at all. We have deployed technologies that try to apply similar technology - things like Mastercard SecureCode and Verified by Visa - to provide an extra layer of fraud checking. Those tend to be around debit cards though.

What's the next stage? Is it to move towards two-factor authentication where you send a code to a mobile for example?

Those sort of technologies are starting to become important. There are lots of new contender payment providers that are bringing in some really innovative processes and methodologies for the eCommerce market. It think one or two things will happen, some of the contender processors will come to the fore with unique technologies, things like 2FA. Also over time the core coding structures behind large eCommerce platforms will get better so the likelihood of fraudsters finding routes for SQL injection will be much less.

The harder we make it for criminals to gain access the more they have to try to monetise elsewhere. The reason credit card data is a popular target is it's easy to make money from it. These guys are a business, they're not doing it for kicks. But we're now seeing a shift to things like ransomware because credit card data is becoming harder to get. It's easier to get a ransom payment that to have to shift 50,000 credit card numbers on the dark web.

And easier than trying to infect point of sale terminals or back office systems?

Absolutely, for the really big guys with a massive face-to-face environment it would mean writing clever malware then being able to deploy it. It's simply easier for criminals to make money from blackmailing businesses with ransomware.

How much is combating the problem simply about education?

It's massively about education, at IRM we work closely with GCHQ and colleagues in the Cabinet Office, we're working to help them understand how to reach out to SMEs, how do we get them to understand that this is not just an IT problem? Cyber security is a business issue and everybody has to be involved.

Business should think about how they could monetise the data they hold. This gives them a fighting chance of dealing with the perpetrators. We have a romantic view of hackers as young kids in their bedrooms but it's not true, they're much more sophisticated than that.

Do we need to do more to raise awareness at board level?

We do. The UK government has done quite a lot of work there already, it's made it clear that money needs to be spent to deal with the problem. A lot of companies were given a wake up call by the TalkTalk débâcle, up to that point most organisations hadn't paid much attention, but when they saw TalkTalk having to face the press many directors suddenly thought, 'I don’t want to be that person'.

If you look at what's coming down the line for big companies with the EU's General Data Protection Regulation, there are significant fines, up to four per cent of total turnover. Add to that you will only have 72 hours to disclose a breach, that's not a huge amount of time for people who haven't done much to secure their systems properly.

As is often the way with government policy there's a move from carrot to stick. Over the next few years, without question, we are going to go through a tough time for people who haven't paid enough attention to cyber security.

Image Credit: Andrea Danti / Shutterstock