President Obama’s State of the Union address this week launched a new emphasis on an ever-present threat in our daily lives – cyberattacks, kicking off what will be a defining year for cybersecurity protection, and for us at the PCI Security Standards Council, pivotal in improving the protection of consumers’ payment information globally.
Public-private collaboration and information sharing, education and awareness and leveraging the most secure technology as emphasized by the president are critical to protect customers against the type of massive breaches we saw in 2014. As the standard setting organization for payment security, we are leading the charge to provide the standards and resources to help businesses secure this information.
The good news is we know what works and what doesn’t. In recent years, we at PCI have not seen any data breaches that weren’t predictable. On the contrary, problems arise from a failure to maintain key security controls and a lack of vigilance. Simply put, most data security breaches involving credit card data are not sophisticated attacks at all, nor are they new tactics. Far too many of the recent major breaches we have seen in the United States were entirely preventable.
Something as simple as a password can cause problems. A recent study by Trustwave reported that the most popular numeric password used by the American business community is 123456. The word ‘password’ remains one of the most commonly used passwords. It wouldn’t take a very sophisticated hacker to crack that code
Fortunately, data security is now becoming a top level issue, from the White House to Congress to corporate suites across America. President Obama’s speech this week will further drive the national conversation
Many companies need to change the way they view security issues. Passing a PCI Standards assessment is a first step, but properly following security standards 24/7 is required to prevent data breaches. Not all companies do that, thinking instead that once they check the box of passing a data security assessment their work is over. This kind of thinking is a major problem. Data security cannot just be a “box you check” once or twice a year. It has to be an all-day, everyday priority. Protecting data is no longer a simple task that companies can just leave to the IT Department.
In 2015 America will take a major step by implementing EMV chip technology for consumers. This is a critical step forward and will provide better data protection by adding a new additional layer of security. EMV chip technology, which is already in use throughout much of the advanced world, provides consumers with strong security features. It helps businesses lock down their point of sale and provides protection against fraudulent transactions in face-to-face shopping environments. However, while EMV chip technology is an additional layer in data security protection, it doesn’t solve every problem. We should not be fooled into believing it is the magical technology that eliminates data security threats. It isn’t.
EMV chip technology will not prevent fraud when a card is used online or in mail and telephone order purchases. EMV technology also would not prevent breaches that involve targeted malware.
No one single technology is the answer. As we look towards the White House Cyber Security Summit at Stanford University next month, it is important for American businesses to prioritize strong security principles by maintaining a multi-layer security approach that involves people, process and technology working together to protect consumers.
It’s time for a change in the mindset about data security. Vigilance must be an everyday priority.
Orfei is general manager of PCI Security Standards Council.