Second Annual Payment Card Industry Community Meeting - Oh What a Difference A Year Makes!
September 09, 2008
Held at the Omni Resort in Champions Gate outside of Orlando this year should great strides in moving the Payment Card Industry initiative ahead in their goal of minimizing criminal activity in the area of card data fraud.
The best speaker was Kimberly Peretti of the United States Justice Department. She talked to us about the work they do in catching and prosecuting the global gangs who perpetuate the growing criminal activity of "carders" for profit.
The "carders" are a fascinating bunch and work to steal cardholder data anyway they can to line their pockets with gold...actually it was e-gold...but hurray for the good guys...They busted e-gold.
So we are making progress in our quest to make it so tough for criminals to gain access to cardholder data that they will turn away. Ah yes, I am the eternal optimist or I wouldn't be engaged in the all to frustrating business of getting all of our merchants PCI DSS and PA-DSS compliant.
The other great news is that the Security Council has formalized our Quality Assurance Program for assuring consistency in the QSA, PA-QSA, and ASV's in assessing and certifying merchants. Without consistency in how we assess and certify merchants to the current PCI requirements we won't have a hope in deterring the criminals.
And even better news, is that the Card Brands recognize the rapidly increasing SQL injection and other type of breaches occurring with the level four merchants and are moving to enforce that all level four merchants must have their own valid PCI compliance ertificate.
The Card Brands, like Visa, MasterCard, American Express recognize that it isn't enough to be processing through a PCI compliant service provider because although THAT back door is locked with a through the service providers valid PCI certificate...the front door is being left wide open by not having assurance that a level 4 merchant or any merchant for that matter has their own PCI compliance certificate showing that their physical environment, web-site, web-hosting network and third party suppliers are all meeting the PCI DSS and PA-DSS requirements.
Could any of you reading this imagine going out and locking the back door to your home but leaving the front door open and just hoping the criminals will only try to steal everything you have by testing the back door and not the front door. It is hilarious to even consider that you would do that, but in fact that is what we have done in our industry.
Further to that is that we are finally moving on enforcing the Web Hosting companies to become PCI Compliant as they are a huge risk to online security by not ensuring that their servers and systems are not maitained daily to PCI requirements. Criminals are able to attack thousands upon thousands of vulnerable sites because web hosting companies have not come to the table on the PCI DSS standards.
To lock down our industry and make it so difficult for the criminals to steal and profit from us requires a collective and collaborative effort from every area in our industry, Web-hosting companies, Merchants, Law enforcement, the Card Brands and Industry Security Experts. Our second annual PCI community meeting showed clearly that our collaberative meeting of the minds, action policies and initiatives are working to bring what has been reactive responses to criminal activity to one of proactive offensive strategy. Although we are losing some of the battles right now, we will as we continue to amass our more than considerable brain power together win this War on Criminal Activity!
I can assure you that my team and I will never give up working together with our peers to assure that our Internet industry is secured for all generations now and in the future.