With more than a decade of experience in the IT and security field, Martin McKeay is a seasoned professional dedicated to spreading awareness about security and privacy through his “Network Security Blog” and podcast series. Given McKeay’s background in QSA, he offered us deep insights into the PCI standards. Here, we’ll share them with you.
On the way the PCI Standards have been implemented:
The PCI standards are definitely meant to be a minimum standard, that’s all they were meant to be. The standards have brought a lot of [compliance] laggards to at least a minimum level of security. And it’s given a lot of security professionals a leverage point to actually put into their corporations what they [wanted] from the beginning. And that’s one of the strongest points of PCI.
The weaknesses are, if you’re using PCI for all the tools and security and in your network – you’re going to be leaving a lot of things out. Because PCI is dealing with a single swath industry, it’s generic enough that most companies are going to have one or two, if not multiple areas of insecurity that PCI isn’t going to do anything at all for.
On his recommendation for strengthening the standards:
The biggest risk for companies dealing with credit card information is the sheer amount of data that they’re keeping. The fact is, most companies are keeping it for historical purposes or they are using a credit card number as in their databases for tracking customers. That’s a practice that has to stop. Quite frankly, as tokenization or end-to-end encryption are used more, there are very few reasons for merchants to store and keep credit cards numbers in the long term. We’re seeing a gradual move away from that, but it needs to accelerate. It means the bad guys will continue to attack businesses, but if you don’t have that credit card information to begin with, they won’t be going after that. But instead, it’ll be something else.
On whether security matters to consumers:
We know for a fact that people aren’t even thinking about security because [consumers] are only responsible for the first $50 of credit card fraud and most banks will waive that in most cases. So the consumer isn’t really thinking about it until they get the breach notification letter from one of their companies with their credit card information with it.
Stay tuned next week for more from Martin McKeay, including on the fluid standards of tokenization and end-to-end encryption.