On-Site Coverage: Visa Security Summit: Chip and Pin Is In
WASHINGTON — If nothing else, card-issuing credit unions should feel assured that an awful lot of intelligent people go to work every single day with no higher priority than helping to keep their card data secure.
That was the unstated yet evident theme of Visa’s 2011 Global Security Summit, a roughly bi-yearly event that brings together leading experts across a number of different disciplines and payment platforms whose jobs are to keep card data out of the hands of thieves.
In previous years, the No. 1 worldwide card brand had convened the meeting in atmospheres of crisis. Intelligent, organized hackers had managed to discover troves of consumer credit and debit card data and were pillaging them, either to commit fraud themselves or to sell the information to others who would do so. Law enforcement and payment systems appeared outmaneuvered and behind the technical curve, and some card issuers were forced to close and reissue both debit and credit cards multiple times per year. The cost of fraud insurance on card accounts began to sharply rise, to the point where some CUs began to contemplate leaving the business.
But this year, the meeting's ambiance felt a tad more relaxed. No one suggested the industry should not remain diligent against data security threats, but many of the speakers addressed their topics with greater confidence and almost none appeared to speak from a feeling of panic. Everyone, it seemed, had a much better handle on what needed to be done, at least generally, and speakers tended to disagree more on questions of how best to do it.
Visa Chief Enterprise Risk Officer Ellen Richey set the tone in her opening remarks that looked back on how the industry moved past the crisis atmosphere while she still acknowledged the ongoing threat.
Meanwhile Sony Corp. experienced a massive data security breach tied to its popular PlayStation computer gaming network that broke on the morning of the conference.
"No one reading the headlines this morning can believe we have gone as far as we have to go in securing data," Richey told the meeting. "But we have made progress."
Some of the signs of progress included steadily growing compliance to PCI data standards, the industry's chief way of securing payment networks. Richey reported that 75% of top processing merchants, so-called Tier 1 and Tier 2, worldwide are PCI compliant and 95% of similar sized merchants in the U.S. are regularly PCI compliant.
It remains unclear whether the Sony breach compromised consumer card data, if it did, the event represents an aberration rather than the norm, she indicated.
Other signs of success included growing consumer confidence in online commerce, up 30% in the last year as well as an increasing ability on the part of card issuers and merchants to catch fraud using neural networks.
But she also reminded the audience of the Sony headlines and that 61% of consumers still believed the criminals are winning the data security wars. "Obviously, consumer confidence is the hardest nut to crack and why we continue to work as hard as we do to keep one step ahead of the criminals in this struggle," she added.
The capture and successful prosecution of Albert Gonzalez, the ring-leading hacker who formed a team of data thieves that were responsible for most of the last decade's largest card data theft, was remembered and celebrated. Gonzalez is currently serving a 20-year sentence in the federal prison.
One panel's members included law enforcement personnel who were responsible for capturing and prosecuting Gonzalez, as well as a journalist who had interviewed him at some length after his capture. Members of the panel shared some of the information they gleaned from debriefing Gonzalez as well as some insights on the impact of his actions on the industry.
For example in letters with a law enforcement official, Gonzalez wrote that firms charged with detecting data breaches should pay close attention to the sources of information coming into their systems and the locations of information leaving their systems. Just like non-cyber thieves, cyber thieves have to get the information they are stealing off the home system and that movement could be more easily detected.
The panelists told attendees that Gonzalez has never claimed to be a "premier hacker" but that his true skills are management.
"He was a very good CEO or foreman," said Secret Service Special Agent Pete Gannon. "He was very good at figuring out who could do what in different parts of the operation and then organizing their work toward a central goal."
Gonzalez’ operations grew over time and generally he took on more people as he needed to handle parts of the operation that had become too time-consuming, the panel agreed. Gannon noted that he started cooperating with someone overseas to sell card numbers after that part of the operation began taking too much time for him to do himself.
"His level of organization was really quite extraordinary," said Kim Peretti, former US Assistant District Attorney who led the Gonzalez prosecution. "Particularly when you consider how much drug use was going on at the time."
Looking forward, the Visa Summit also convened an international panel to discuss the future of smart cards or EMV chip cards, which the panelists all agreed represented the best approach available in current technology to fight card fraud.
The panel of regulators, card issuers and merchants roundly endorsed using cards with embedded chips as a primary means of combating fraud and cutting fraud protection costs.
Stephen Fedor, senior director for loss prevention and investigations for the Canadian Imperial Bank of Commerce, recounted how his bank, which issues both chip and pin and magnetic stripe cards, had card holders traveling in Europe report not being able to make purchases without chip and pin.
While the panel agreed that chip cards are better, there was less agreement on the best way to bring the cards to more common usage in the U.S.
Richard Oliver, senior vice president with the Federal Reserve Bank of Atlanta, told the meeting that he doubted whether the Federal Reserve would dictate the adoption of chip and pin. They might, he said, but it would be better if the private sector did it, and if they did, it would be a very cautious approach.
Mike Cook, vice president and assistant treasurer for Wal-Mart, surprised most of the meeting participants with the news that a majority of Wal-Mart stores were already capable of accepting chip cards and that the retail chain was already accepting government benefit cards with chips in three states.
Cook told the panel that he expected the shift to chip and pin would come when card issuers began to see a competitive advantage in issuing cards with chips over magnetic stripes.
Sony Suffers Major Security Breach
Sony Suffers Major Security BreachSony Corp. reported that 70 million consumers around the world have had their personal data compromised in the latest major data security breach, according to media reports.
The company has not yet completely evaluated the damage but said that it believes no consumer credit or debit card data was compromised.
Patrick Seybold, senior director of corporate communications for Sony Computer Entertainment America, wrote about the breach on the company's blog.
"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided," wrote Seybold. Things like name, address (city, state, zip), country, email address, birth date, and game ID and passwords were compromised, he said. "It is also possible that your profile data, including purchase history and billing address...and your PlayStation Network/Qriocity password security answers may have been obtained....While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," he added.