Information security has become a top priority for businesses, especially for those organizations in -- and those that have their processes influenced by -- the payment card industry. As recent high-profile breaches have proven, hackers use increasingly sophisticated and ingenious tactics to get their hands on payment card information.
As these threats evolve, so must the security strategies used to combat them, said Branden Williams, EVP of strategy at payment card industry (PCI) compliance service provider Sysnet Global Solutions. In this Q&A conducted at RSA 2014 in San Francisco, Williams discusses how maturing cyberthreats force companies to reexamine their data protection and PCI security strategy.
What are some of the struggles companies have with PCI compliance requirements, and how can they overcome them?
Branden Williams: I've been doing PCI compliance for a long time, back before it was even called PCI. The problems companies have today aren't really that different from the problems they had back then. Companies grow and infrastructure grows, and the companies change focus. Sometimes the PCI security process doesn't catch up. A lot of times what I see is a lack of documentation, a lack of process and a lack of following the processes that are in place.
PCI 3.0 has a lot of really interesting new aspects that companies are going to have to do, and a lot of it is going to increase the rigor of an assessment.
PCI 3.0 -- the new version that's already out but is effective next year -- has a lot of really interesting new aspects that companies are going to have to do, and a lot of it is going to increase the rigor of an assessment. The outside guys -- or sometimes the inside guys -- that will be doing the assessment work are going to be digging in more and looking at some of the controls. In light of recent breaches, a lot of it is just basic blocking-and-tackling stuff that's still not being done from a PCI security strategy and compliance perspective.
What are some emerging cyberthreats that you're keeping an eye on, and what are some of the security strategies and technology that can help address these threats?
Williams: A lot of my experience has been in the payment space, but there are some interesting challenges with the U.S. moving to EMV [Europay, MasterCard and Visa], and what that does to fraud prevention. Then there's stuff like Dexter malware and its variants. Other threats have come out that are getting directly into point-of-sale systems and pulling information. All those fancy encryption things that software might be doing do not matter. The malware is sitting between those routines so it can see things that are coming in.
Skimming is still a really big issue, and bad guys are getting really creative about how they install skimmers. They've got injection molding machines and they're molding plastic that looks like it's the front of the ATM. They're sticking it right on there; it doesn't look like it's any different. They're also finding new ways to capture the PIN. It used to be low-tech, with cameras that they would set up right near an ATM. Now they're actually putting stickers over the keypad so, as you push in your PIN, it's capturing it and transferring it down to the keypad below. Everything looks normal, like it's working. Gaining access to payment data has become a big deal.
The other big trend is that data is sprawling out everywhere, and we've got data on phones and laptops and cloud services. We really have a hard time identifying informational assets. What are the assets that we monetize or rely on, and what sort of protections do we need to put in place to make sure that we still maintain control over that digital asset? That's a problem that a lot of companies still haven't quite figured out. There are solutions for it, but they're usually very expensive. Sometimes they are cost-prohibitive. Companies that I've worked with in the past have had pretty great solutions, but you need to know the business well enough to say, 'If we're going to create this digital asset, this is what it's going to take to maintain and secure it.' It's hard to go back to the well and go get more money after you've already been down the road a little bit.
There's been so much buzz around intelligence-based and analytics-driven security strategy. How effective do you think these approaches are, and are there any challenges?
More from RSA 2014
Effective security helps alleviate compliance burden
Increased threats force CISOs to rethink data protection efforts
Can information sharing improve corporate data protection?
Williams: It can be very effective. If we think back to the old days of intrusion detection systems 15 years ago or so, people loved to put them in place. They said, 'Hey, this is the next step, we really need this so we can stop attacks before they start.' They didn't realize the amount of tuning that they had to put in place so they wouldn't get lots of false positives.
There has to be a lot of information sharing. There has to be ways to take the data that's coming out of this and make some sense of it so you can make an informed decision. Most companies aren't advanced enough, and many of them don't care, frankly, to go into that level of detail. The ones that are advanced enough are typically government agencies, or contractors supplying government agencies with particular products and services.