Card security needs collaboration

gallery

Who should take responsibility for credit card security - merchants or card issuers?

That question was under debate at the NetEvents conference in Malta, with panellists discussing the payment card industry's data security standards (PCI DSS), developed by the PCI Security Standards Council.

Credit card payments systems need to be more secure, the panellists agreed. Considering the TJX/TK Maxx security breach, Bob Walder, the chief scientist at NSS Labs, noted that not protecting customer details can be expensive to companies. Aside from money lost directly through a data breach, cards need to be reissued, customers informed and longer term costs of fixing breaches and repairing customer confidence and brand damage. "Customers have a long memory which can cost even more in the long run," he said.

"If you've been compromised, you've put your customers at risk," added Carlos Solari, the vice-president of security for Alcatel-Lucent. "It's the end of your business."

But who should be held responsible for keeping data secure: retailers or the credit card companies themselves?

Walder said merchants can't be expected to be security experts. He asked the panel to consider the mindset of Larry the pizza shop owner: "He's got to look encryption up in the dictionary."

Despite this, over half of companies are found to be not compliant on their first DSS assessment, he said. But self-assessments are open to abuse, so end users need to be forced to be compliant, said one panellist. "For a small merchant, it's an alien thing... the only way is to force them to on pain of taking their business away or their ability to accept cards," said Michael Bacon, the head of information security at Xchanging.

But Alex Raistrick, director of Northern Europe for ConSentry Networks, said: "It's not in the interest of card companies to take away the ability to use cards."

He added that it's not just small merchants facing trouble. "It's confusing for everybody," he said, saying a retailer with 9,000 stores and several thousand staff faces huge challenges to keep data secure.

Because of that, more pressure should be put on credit card companies and networks to keep data secure. One solution could be certification of security products. "In the end, it doesn't matter how prescriptive you get, products need to be certified," said Neal Hartsell, vice president of marketing at Tipping Point. That way, smaller vendors and larger firms alike will know which products are proven to meet PCI standards, he said.

Alcatel-Lucent's Solari suggested credit cards themselves should be made more secure. "The credit card itself continues to be a weak point," he said.

But Bacon noted you can't certify people. "People will break security every time," he said. No matter how good the technology, he added, "there's still somebody putting it together." He asked the audience to consider cars. No matter how much safety technology manufacturers put into their cars, people will always make them dangerous - there's nothing you can do about "the nut behind the wheel," he said.

Email to a friend

Print this page