PCI: What's Next and When?
These are the key questions in payments security, and Bob Russo, GM of the PCI Security Standards Council, is prepared to start answering them. In an exclusive interview conducted at RSA Conference 2010, Russo discusses:
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am at the RSA Conference, and I am talking with Bob Russo, the General Manager of the PCI Security Standards Counsel. Bob, it is a pleasure to talk with you.
BOB RUSSO: Hi Tom, my pleasure.
FIELD: So, PCI is certainly a hot topic. What do you see as the hot topics in PCI right now?
RUSSO: Well, currently we are in the middle of a feedback period and analyzing just a ton of feedback that the council has received on the standard over the last year or so. In early summer we will be releasing some summaries on what the new standard will look like, but we are approaching the end of a six-month study on all of this feedback that has come in; quite a daunting task, I must say. It basically falls into three different categories; it falls into clarifications, emerging types of technologies, and then some additional guidance on some things. So those are the three categories that the feedback seems to fall into right now. And as I say, as we get closer to the end of analyzing all of this feedback, we will begin to release some summaries on it, so that the world won't be taken by surprise when we get to October and release a new standard.
FIELD: So, there is an expectation this year that there will be a fairly significant new release for the standard?
RUSSO: It is a little too early to tell at this point. Again, in those three categories right now it looks like the majority of what we are seeing are clarifications - hashing, what is a strong hash; define strong for us, things of that nature. So we are looking at that kind of information. Of course, technologies are coming out, a lot of buzzwords in the industry these days, and encryption, chip, tokenization and so on and so on; how do these things affect the standard. How do they make the standard a little bit easier to comply with? How do they augment the standard? Because to be perfectly honest with you, the standard is not going to go away. I mean, there is no silver bullet out there. When we are looking at these technologies now in depth, trying to figure out exactly how they map to the standard, and if you are using one of these technologies what it in fact needs to do in order to be considered a technology that would map to the standards. So we are in the process of doing that now.
FIELD: Now as you may recall, we had a bit of dialog about PCI a year ago in the wake of Heartland and RBS WorldPay. There was lots of talk about what is PCI compliant, what is not PCI compliance, and I think it is fair to say that it was a significant amount of drama in the conversation. A year later, where would you say we are in this conversation about PCI and about payment security?
RUSSO: Well, certainly you know as unfortunate as this is or those situations are, they tend to raise awareness, so I think you will tend to find that people are very much aware of PCI. I think you will find that they are torn as to how they should comply, how best to comply, and I think the fact that it is a compliance program is something that scares people. This is not really about compliance; this is about security. If you are secure, compliance comes along as a byproduct; so that's a good thing. But this is not about compliance alone. If you go down and check a box and then forget about it and don't study for another year for the test, you are going to fail. That is what has happened with these breaches that you have been reading about.
FIELD: Where do you find the greatest vulnerability to be? Is it with the process or is it with the merchant, is it with a merchant of a certain size? Where do you find your work really cut out for you?
RUSSO: Well, you know it is pretty much all over the map, and basically it is an education issue as far as we see. You need to understand that this needs to be built into your DNA and that you need to do this on a daily basis. You need to live, breath, eat, sleep, not PCI, but security, and if you let your guard down for one second that is when things happen. So that is what we are finding out, but again, the awareness is way, way up on the standard, and people are even using this as a jumping point to get security into their organizations, which is a good thing. So we are very happy with where we are but the fight continues so to speak.
FIELD: Interesting, Bob, we just did our banking information security survey, which I am actually going to be presenting the results today at the event, and we asked about PCI. The one thing that I don't really think will surprise you when we asked the banking security leaders about their confidence in the data security standard, and I would say that this sort of fell smack in the middle, somewhat confident/somewhat un-confident, but there is not much you can read into that. But we asked them about potential solutions in the marketplace, specifically about chip and pin and about tokenization and/or encryption. Close to 50 percent thought that end-to-end encryption might be a solution, but a secondary answer I found interesting was what they called "enhanced PCI." I have got to ask you, what would enhanced PCI be? What do you think maybe people are envisioning here?
RUSSO: Tom, I am not familiar with the term enhanced PCI, certainly it is not a PCI Council term at this point, but since we are continually talking about layers of security, maybe it has got something to do with additional layers being added on to the existing standards like an encryption solution or a chip solution, or a tokenization solution. You know, as far as we are concerned, any additional layers you can put on top of PCI is a good thing. Whether one of these things, as I mentioned before is a silver bullet or not, you know, we don't think that is the case.
We don't think you are going to find one solution that is going to fit all purposes, nor will that negate the need to comply with certain requirements within the standard. It will make it in some cases more secure, which in turn makes it easier to comply with the standard, but certainly the standard will not be going away anytime soon. We are looking in depth at some of these technologies, trying to define specifically what they are, so when somebody says end-to-end encryption, I sort of have to scratch my head because I don't really know what end-to-end encryption is; from what end to what other end? Pont-to-point might be a better thing. End-to-end encryption is sort of a catchall phrase, and you get people falling into a false sense of security when they hear well I have just bought an end-to-end solution, so I am safe. That is not always going to be the case, and we need to make sure that we are educating people on that.
FIELD: That makes sense. Now you are here at the RSA event, and I am curious: 1), what are you here to talk about with people, and 2) what do find already that people want to talk about with you?
RUSSO: Well, certainly people want to know what is coming in the new version so that they can be prepared. As I indicated before, we are still analyzing the enormous amount of feedback that we got, so there isn't really a whole lot to say at this point, except to explain how this feedback process works, explain how they can be a part of it, explain all of the different things that we are doing since this is a global standard, and so when we say we are putting out not one, not two, but three standards this year, we are not only talking about here in the United States, but we are talking about globally. All of these standards have to go out in eight different languages to begin with, so this is an enormous amount of work. So we are looking to let people understand what it is, and more importantly how they can participate in this.
FIELD: So, from here, we are starting here in March of 2010, how can your constituents participate, and give us a sense of timeline when we can expect to see some of these events unfold?
RUSSO: Well timeline-wise, as I said we are in the process of analyzing the feedback now, and we should be through the feedback probably sometime in early spring. We will then start releasing summaries of what the feedback was, where is lined up.
And I mentioned three buckets that it falls into - clarifications, emerging technologies, and additional guidance; we will basically summarize what we have heard from everybody. As you can well imagine, there is conflict here. Somebody sends in something that says, hey the password rule is crazy and we can't change it every 90 days so make it 180 days, whereas somebody else sends something in that says, wait a minute, 90 days is not secure enough, and it needs to be every 30 days. So you have got conflicting opinions here, and we have to weed through this thing and take into consideration a lot of different things.
Number one, globally - how does it line up globally not just for the United States? Number two, what is it going to cost to do these things? You know, so cost is a factor here. Number three; is it going to change the way you do business? Because if it is going to change the way you do business, it is going to take a while to come about. We can't just have the standard come out and then say change the way you complete your business. So basically what I am here to do is to explain exactly what we are doing now. Talk about these timelines. Let them know that in September, when we start our community meetings, we will be debating one last time if we have missed anything in the standard, but in early summer we will begin to release information on what the standard is going to have, so we don't get to October when we release the standard and everybody is surprised. There won't be any surprises here.
FIELD: Bob, it is going to be a lively year.
RUSSO: It will be.
FIELD: Thank you so much for your time today, I appreciate it.
RUSSO: All right Tom, thank you.