PCI Standard Losing Ground: Data Security Exec
A Silicon Valley executive said Monday he doubts whether the card industry's prevailing data security standard can continue to provide meaningful consumer payment data protection.
Eric Chiu, co-founder and president of cloud security firm HyTrust, told Credit Union Times 2014 could become the Year of the Data Security Breach unless payment industry executives find a way to more quickly and thoroughly update card data security standards and practices.
The payments industry in the U.S. has relied upon merchants, processors and issuers complying with the requirements of the Payment Card Industry Data Security Standard since the end of 2004, and Chiu praised the standard for having prevented an unknown number of attacks and breaches.
“We would probably be even worse off if we didn't have it,” he said.
The existing PCI DSS seeks to maintain payment card data security by mandating what parts of the process must be encrypted and what level of complexity that encryption must maintain. It also limits the amount of consumer payment data that retailers can store online.
But by its nature, the standard is slow to update, complicated to monitor and difficult to implement, Chiu said, and there is evidence hackers have found new and innovative ways to repeatedly defeat it.
Chiu pointed out the data standard is also tasked with protecting a steadily growing amount of data; reports suggest that data taken from Target, Neiman Marcus and other retailers did not pertain to payment data, but also names and addresses and other consumer data taken from other parts of the retailer's network.
“What I have been saying for some time is that we may need to change our data security approach from solely protecting the data and networks from intruders on the outside and also start focusing on protecting data from intruders we believe have managed to get inside,” Chiu said.
Too many data protection regimes are like M+M candies, he explained.
“They are hard on the outside and soft on the inside,” Chiu said. “Retail corporations, processors, anyone who is keeping consumer data need to start asking themselves 'how would I protect consumer data if I believed hackers were already able to access out network.’”
Chiu agreed more widespread movement to cards that validate transactions through embedded chips would go a long way to fight fraud at the point of sale, but added the steadily expanding range of targets for theft means protecting data networks will remain an abiding concern for some time.
“Since consumer data can be held and used for identity theft and other frauds for months and possibly years later, its value has steadily risen. Anything that valuable is going to need additional protection,” Chiu observed.