WASHINGTON — If nothing else, card-issuing credit unions shouldfeel assured that an awful lot of intelligent people go to workevery single day with no higher priority than helping to keep theircard data secure.

That was the unstated yet evident theme of Visa's 2011 GlobalSecurity Summit, a roughly bi-yearly event that brings togetherleading experts across a number of different disciplines andpayment platforms whose jobs are to keep card data out of the handsof thieves.

In previous years, the No. 1 worldwide card brand had convenedthe meeting in atmospheres of crisis. Intelligent, organizedhackers had managed to discover troves of consumer credit and debitcard data and were pillaging them, either to commit fraudthemselves or to sell the information to others who would do so.Law enforcement and payment systems appeared outmaneuvered andbehind the technical curve, and some card issuers were forced toclose and reissue both debit and credit cards multiple times peryear. The cost of fraud insurance on card accounts began to sharplyrise, to the point where some CUs began to contemplate leaving thebusiness.

But this year, the meeting's ambiance felt a tad more relaxed.No one suggested the industry should not remain diligent againstdata security threats, but many of the speakers addressed their topics with greater confidence andalmost none appeared to speak from a feeling of panic. Everyone, itseemed, had a much better handle on what needed to be done, atleast generally, and speakers tended to disagree more on questions of how best to do it.

Visa Chief Enterprise Risk Officer Ellen Richey set the tone inher opening remarks that looked back on how the industry moved pastthe crisis atmosphere while she still acknowledged the ongoingthreat.

Meanwhile Sony Corp. experienced a massive data security breach tied to its popular PlayStationcomputer gaming network that broke on the morning of theconference.

“No one reading the headlines this morning can believe we havegone as far as we have to go in securing data,” Richey told themeeting. “But we have made progress.”

Some of the signs of progress included steadily growingcompliance to PCI data standards, the industry's chief way ofsecuring payment networks. Richey reported that 75% of topprocessing merchants, so-called Tier 1 and Tier 2, worldwide arePCI compliant and 95% of similar sized merchants in the U.S. areregularly PCI compliant.

It remains unclear whether the Sony breach compromised consumercard data, if it did, the event represents an aberration ratherthan the norm, she indicated.

Other signs of success included growingconsumer confidence in online commerce, up 30% in the last year aswell as an increasing ability on the part of card issuers andmerchants to catch fraud using neural networks.

But she also reminded the audience of the Sony headlines andthat 61% of consumers still believed the criminals are winning thedata security wars. “Obviously, consumer confidence is the hardestnut to crack and why we continue to work as hard as we do to keepone step ahead of the criminals in this struggle,” she added.

The capture and successful prosecution of Albert Gonzalez, thering-leading hacker who formed a team of data thieves that wereresponsible for most of the last decade's largest card data theft,was remembered and celebrated. Gonzalez is currently serving a20-year sentence in the federal prison.

One panel's members included law enforcement personnel who wereresponsible for capturing and prosecuting Gonzalez, as well as ajournalist who had interviewed him at some length after hiscapture. Members of the panel shared some of the information theygleaned from debriefing Gonzalez as well as some insights on theimpact of his actions on the industry.

For example in letters with a law enforcement official, Gonzalezwrote that firms charged with detecting data breaches should payclose attention to the sources of information coming into theirsystems and the locations of information leaving their systems.Just like non-cyber thieves, cyber thieves have to get theinformation they are stealing off the home system and that movementcould be more easily detected.

The panelists told attendees that Gonzalez has never claimed tobe a “premier hacker” but that his true skills are management.

“He was a very good CEO or foreman,” said Secret Service SpecialAgent Pete Gannon. “He was very good at figuring out who could dowhat in different parts of the operation and then organizing theirwork toward a central goal.”

Gonzalez' operations grew over time and generally he took onmore people as he needed to handle parts of the operation that hadbecome too time-consuming, the panel agreed. Gannon noted that hestarted cooperating with someone overseas to sell card numbersafter that part of the operation began taking too much time for himto do himself.

“His level of organization was really quite extraordinary,” saidKim Peretti, former US Assistant District Attorney who led theGonzalez prosecution. “Particularly when you consider how much druguse was going on at the time.”

Looking forward, the Visa Summit also convened an internationalpanel to discuss the future of smart cards or EMV chip cards, whichthe panelists all agreed represented the best approach available incurrent technology to fight card fraud.

The panel of regulators, card issuers andmerchants roundly endorsed using cards with embedded chips as aprimary means of combating fraud and cutting fraud protectioncosts.

Stephen Fedor, senior director for loss prevention andinvestigations for the Canadian Imperial Bank of Commerce,recounted how his bank, which issues both chip and pin and magneticstripe cards, had card holders traveling in Europe report not beingable to make purchases without chip and pin.

While the panel agreed that chip cards are better, there wasless agreement on the best way to bring the cards to more commonusage in the U.S.

Richard Oliver, senior vice president with the Federal ReserveBank of Atlanta, told the meeting that he doubted whether theFederal Reserve would dictate the adoption of chip and pin. Theymight, he said, but it would be better if the private sector didit, and if they did, it would be a very cautious approach.

Mike Cook, vice president and assistant treasurer for Wal-Mart,surprised most of the meeting participants with the news that amajority of Wal-Mart stores were already capable of accepting chipcards and that the retail chain was already accepting governmentbenefit cards with chips in three states.

Cook told the panel that he expected the shift to chip and pinwould come when card issuers began to see a competitive advantagein issuing cards with chips over magnetic stripes. 

Sony Suffers Major Security Breach

Sony Corp. reported that 70 million consumers around the worldhave had their personal data compromised in the latest major datasecurity breach, according to media reports.

The company has not yet completely evaluated the damage but saidthat it believes no consumer credit or debit card data wascompromised.

Patrick Seybold, senior director of corporate communications forSony Computer Entertainment America, wrote about the breach on thecompany's blog.

“Although we are still investigating the details of thisincident, we believe that an unauthorized person has obtained thefollowing information that you provided,” wrote Seybold. Thingslike name, address (city, state, zip), country, email address,birth date, and game ID and passwords were compromised, he said.“It is also possible that your profile data, including purchasehistory and billing address…and your PlayStation Network/Qriocitypassword security answers may have been obtained….While there is noevidence at this time that credit card data was taken, we cannotrule out the possibility,” he added.