PCI Council looks for ways to stem data breaches after bad year

The last year has been bad, but the technology is there to stop nearly all data breaches, experts said

A consortium that develops guidelines for protecting payment card data is hoping that emerging security technologies will help prevent breaches that made this year one of the worst ever on the security front.

"It's been a bad year," said Jeremy King, international director of the PCI Security Standards Council, at its Asia-Pacific Community Meeting in Sydney on Tuesday. "We hope to get better. Unfortunately, the criminals are getting better."

As many as 2.3 billion records were compromised this year, a figure close to the populations of India and China combined, King said.

One of the largest individual breaches was recorded by Home Depot, which lost 56 million payment cards in an attack on its point-of-sale system, launched after a third-party vendor's credentials to its network were compromised.

The PCI Council, founded in 2006 and funded by card companies, develops security tips for payment networks and retailers. The meeting in Sydney is intended to help those in the industry implement better security practices to stop costly hacking attacks.

Many retailers are finding that even if they follow the PCI Data Security Standard (PCI-DSS), their networks could still be vulnerable due to configuration errors. The PCI Council advocates that retailers have to remember that compliance with the security standards, which is required by the card companies, is more than passing annual audits.

"The criminals are more focused than we are," King said. "They are much more organized than we are. They are happy to fail 1,000 times if on the 1,001 they get in."

As of Jan. 1, organizations will have to be compliant with PCI-DSS 3.0, the latest version of the standard. It has been available for about a year, although organizations could opt this year for auditing purposes to be compliant with the 2.0 version.

Many of the improvements that merchants can make are process oriented, such as changing default passwords for remote login systems and ensuring that all card data is encrypted when it is not moving.

The adoption in the U.S. of EMV (Europay, MasterCard and Visa) technology, also known as chip-and-PIN, should make an impact on face-to-face and lost card fraud, King said.

Europe has long issued EMV cards, which have a microchip that uses a cryptographic process combined with a PIN to authorize a transaction. The microchip has yet to be forged by the criminal community, which has primarily focused on creating forged cards from the data contained on the magnetic stripe.

Europe has correspondingly has seen a sharp rise in card-not-present fraud as criminals thwarted by EMV looked to collect card details that can be used in transactions not requiring a physical card, such as over the Internet, he said.

One positive point of the last year's troubles is that data security now has the attention of C-level executives, as stopping data breaches also means job security for those executives, said Stephen W. Orfei, the incoming general manager of the PCI Council.

Also, all of the breaches of the last year could have been prevented, Orfei said. The industry is looking at ways to "devalue" payment card data, or modify it so that it would be useless if it fell into the hands of criminals, he said.

One of those technologies is point-to-point encryption, which involves encrypting card data immediately after it is collected. Many of the recent data breaches have been attributed to malware that collects the remnants of card data from a computer's RAM. The data would be unusable if encrypted.

Point-to-point encryption isn't mandatory in PCI-DSS 3.0, but it is a standalone recommendation, said Troy Leach, CTO of the PCI Council. "We have looked at the future and what version 4.0 may bring, and that is a likely possibility," he said.

Also in discussion is wider use of tokenization, Orfei said. Tokenization involves using a numerical representation of a real payment card number to authorize payments. If intercepted, the token wouldn't be of use to criminals to authorize further transactions, unlike a full card number.

"If you think about it, the technology is there now," Orfei said. "You can actually devalue the data, and that is the end game."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securitydata breachencryptiondata protectionPCI Security Standards Council

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?