PCI's Bob Russo: Data loss hurts brand more than a fine

As Christmas shoppers spend away and data breaches keep hitting the headlines, the Payment Card Industry's security council is charged with keeping customer's data safe.

By Miya Knights, 12 Dec 2008 at 11:14

gallery

This is reflected by the fact we’re looking at developing the qualified assessor programme to be a first line of support for merchants. This is exactly what the PCI council wants, why we train them and why we’ve introduced a process of remediation for assessors as well.

As for the threat of fines, I can’t comment on that as the card brands are in charge of that side of regulation. Thankfully, it hasn’t come to that. But merchants are beginning to understand that the potential damage to their brand if they are involved in a security breach could far outweigh the cost of a fine. And they are realising compliance is becoming a differentiator – that consumers can feel safer shopping with them.

How do you see the progress of PCI DSS efforts in Europe going specifically?

Europe is a little more boisterous that the US, but then it is further along in implementing the EMV chip. That’s succeeded in lowering fraud at the counter with chip and PIN. But that’s also basically succeeded in moving fraud over to CNP (card-not-present) transactions. I also think they’re not shy in addressing any issues they are facing in complying with the standard.

Generally, I think European merchants have also done a lot more work on developing their transactional systems. Within the study I mentioned that we’re launching, we’re calling the EMV chip an emerging technology. But then you guys in Europe are using it every day. I remember back in the beginning of the roll out of PCI DSS, I heard merchants in the UK saying that they’d already jumped through hoops to become compliant with chip and PIN and done stuff to make their systems more secure that we hadn’t in the US. And that’s great, but the security issues are still there. One new technology doesn’t solve the issue. And it’s just one example that reflects the work that needs to be done to make sure the standard is as robust as possible.

You’ve mentioned a major study that the council is launching in the New Year. How will it be conducted and what will it involve?

I can’t say too much about its methodology as the study is now in RFP [request-for-proposal] stage, so its scope may change. But suffice as to say, it will very strongly focus on those emerging technologies I mentioned earlier to see how they affect, or don’t affect the scope of the standard.

1 2 3

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >