Achieving international acceptance of the PCI Data Security Standard is an ongoing challenge, says Jeremy King, international director of the PCI Security Standards Council, who's working to educate merchants about baseline security that goes far beyond cardholder data protection as the council prepares to mark its 10th anniversary.
"When ... you look back at the history of how [merchants have] been attacked, in the early days, the biggest problem was that organizations stored massive amounts of data," King says in an interview with Information Security Media Group (see audio player below photo). But as merchants have stored less data, attackers have become more effective at stealing data in transit. So the PCI-DSS and other PCI security standards have evolved to reflect evolving threats, he adds (see How Will PCI-DSS Evolve in Next 10 Years?)
The PCI Council's standard for point-to-point encryption, for example, has gained more international acceptance in the wake such high-profile breaches as Target and Home Depot, King says.
"We have to improve how people undertake their network security, and we are constantly trying to get people to improve their password security - that still is a problem, 10 years down the line," King says. "It's really about being aware of how the criminals are attacking."
While companies and organizations have become more effective at securing cardholder data, they've not been paying the same attention to their general customer data, King contends. "And what we've seen, certainly over here in Europe, in some of the recent breaches is that the criminals can gain so much personal information about the customer that they can ring them up, pretend to be the merchant and gain access to their bank details. So while people understand the need for protecting cardholder data, they also have to understand that we have new technology coming along and we have criminals who are better organized."
During this interview, King also discusses why:
Increasing fraud in the e-commerce, card-not-present space is still a growing worry; Tokenization will continually improve security, in spite of the implementation hurdles some merchants still must overcome; and Stronger data breach reporting regulations in Europe are helping push wider global acceptance of the need for PCI compliance.King leads the PCI Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI-managed standards in European markets and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.