Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Incoming PCI council head ready to take on the hackers

Taylor Armerding | Oct. 28, 2014
Stephen W. Orfei talks about goals, threats, EMV, layered security and why ‘risk mitigation’ is better than compliance.

CSO: Given that the holiday shopping season has also come to be known as "hacker season," what are the special/unusual risks confronting companies and shoppers?

Orfei: Make no mistake, hackers are hitting everything that's not nailed down, and they know that the holidays are a particularly vulnerable time for merchants. Not only does the increased number of payment transactions make retailers a high-value target for hackers, but also temporary staff changes and updates to systems that take place during this busy season can put businesses at increased risk. With these seasonal challenges against the backdrop of vulnerabilities and threats such as Shellshock and Backoff malware, it is more critical than ever for organizations to be vigilant.

CSO: What can merchants do to mitigate those risks?

Orfei: It's important for businesses to keep their eye on both their sales and their IT systems at all times. Organizations should prioritize the strong security principles found in PCI Standards, and maintain a multi-layered security approach that involves people, process and technology working together to protect consumers.

Take the time now to do an inventory of your computers and systems to ensure that all assets that touch the payment system have the latest software updates and patches.

Malware and other agents make their way into systems because basic controls fall down, such as changing passwords, patching systems, and managing access. In addition, make sure that you have monitoring and network surveillance in place to alert you immediately to any anomalous activities or changes to your systems that could put payment data at risk.

CSO: What are the most important technology investments organizations can make to minimize the value of data and ease compliance efforts to increase security?

Orfei: Rendering cardholder data useless to criminals is the end game. This means that even if a criminal is able to steal cardholder data, its possession should be impossible to exploit. We're at an exciting place today, in that we actually have the technology available to help us do this. EMV chip, tokenization and point-to-point encryption are more accessible and available than ever. Used together, these provide a layered approach to payment security that makes theft of cardholder data a non-event. Use of these technologies can also simplify the process of compliance.

CSO: Why should CSOs move beyond a strong defense to an aggressive offense? What do you mean by offense attacking the attackers, or something different?

Orfei: Offense means never taking your foot off the gas. Hackers are an unremitting, unrelenting foe. Our approach needs to meet this challenge. This means you're not stopping at protecting from the current attack vectors you're thinking steps ahead and continuing a layered approach to security.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.