pci finance This is a topic that many people are looking for. thetruthaboutdow.org is a channel providing useful information about learning, life, digital marketing and online courses …. it will help you have an overview and solid multi-faceted knowledge . Today, thetruthaboutdow.org would like to introduce to you PCI – Financial Data Security in the Age of Computer Hackers. Following along are instructions in the video below:
“Stephen dorff. A is the general manager at pc. I security standards council missed or or failure. Now recognized for your testimony.
Thank you sir good morning. My name is or fay. I m the general manager of the pci security standards council. I had the privilege of leading a talented and deeply committed membership organization that is responsible for the developing and maintaining the global data.
Security standards for the payment card industry. Our approach combines people process and technology. Continuous effort in applying our standards is the best line of defense against organized crime state funded actors and criminals who threaten our way of life and attempt to undermine our confidence in the financial system. Everyone has been victimized by these criminals and we know the very real harm caused by breaches developing standards to protect payment card data is something the private sector and specifically pci is uniquely qualified to do consumers are understandably upset when their payment card data is put at risk.
The council was created to proactively protect consumers payment card. Data our community of over 1000 of the world s leading businesses tackling data security challenges from simple issues for example. The word password is still one of the most commonly used passwords and to complex issues like encryption our standards are solid foundation for a multi layered security approach. We aim to remove payment card data.
If it is no longer needed simply put if you don t need it don t store it if it s needed then protected and reduce the incentives for criminals to steal here s how we do that the data security standard. Is built on 12 principles covering everything from logical to physical security. And much more. It s updated regularly through feedback from our global community.
We manage eight other standards. That cover card production pin entry devices payment applications. And much much more we work on technologies best practices and provide market guidance. We have laboratories to vet solutions that we list on our website.
All of our information is free our mission is to educate empower and protect now our end game strategy is to devalue the data so that it is useless in the hands of the bad guys. We have three technologies that will allow us to do so emv at the point of sale point to point encryption and tokenization when bundled and implemented properly the data becomes useless. Then there s no reason to break in that s. Why the council supports adoption of emv in the us.
Through organizations such as the mv migration forum and other standards and our standards. Support emv. Today and other worldwide markets..
But emv chip is not a silver bullet. Additional controls are needed to protect the integrity of payments online and in other channels. This includes encryption tamper resistant devices. Malware protection.
Network. Monitoring. And more. All are vital.
Parts of the pci standards. Effective security requires more than just standards for standards. Without supporting programs or just tools not solutions. The council s training and certification programs.
Have educated tens of thousands of security professionals and make it easier for businesses to choose products that have been lab tested certified and as secured finally we conduct global campaigns to raise awareness of payment card security. The committee s leadership on this critical issue is important and there are clear ways in which the federal government can help for example by leading stronger cooperative law enforcement efforts worldwide by encouraging stiff penalties for these crimes and recent initiatives on information. Sharing are also proving to be invaluable. The council is an active collaborator with government we work with nist dhs treasury secret service and many other government entities including global law enforcement such as interpol and europol in conclusion payment card.
Security is complex silver bullet solutions do not exist unilateral action is usually a disappointment alliances partnerships information sharing and collaboration between the public and private sector is critical the pci council stands ready and willing to do more to combat global cyber crimes that threaten our way of life and confidence in the financial systems of the world. We thank. The committee for taking a leadership role and seeking solutions to one of the largest security concerns of our time. Thank you thank you.
But it s still a target for the the hacker to go into the retail or anytime. Not just medical or whatever the hospital keeps that information to i guess as a data source where they ll go try to breach it and they won t be going to the retail to use it but they ll be doing it online. So it s still a target maybe even a larger target is that true now with the chip chief. My time is going quick is it a larger target because of that as well.
I think. It s important that we recognize the chip technology is really designed to button down the point of sale to defend against counterfeit lost and stolen order. It is but one critical layer of security. There are other technologies have been referenced in testimony here today such as point to point encryption and tokenization that will protect that data from the cyber breach.
You re referencing congressman. Okay i d like to ask even or fee given given your organization s experience in establishing data. Security..
Protocols and procedures of what would you say are the most important aspects of a company s data security plan and other in other words. What is the most important thing that a company could do to protect their customers to protect their company against a data breach is thank you congresswoman for that question. I think what s most important is the pci standard is in our view. The best defense against cyber criminal attacks.
It really becomes a question of vigilance and being methodical and disciplined in your approach and looking at and paying special attention to the fundamentals doing the blocking and tackling looking at the physical and logical security its day in and day out it needs to be twenty four seven. It needs to be built into the dna of an organization from the ceo right down to the working level. Okay thank you and i just got a few seconds left just one comment. Mr.
Rfa. I m disappointed you gave everybody my password to my computer s bed with that i yield back thank you sir gentleman yields back and better put a fraud alert on all of his credit cards uh uh hiding back back here. But i real quickly while we re on the breaches. I d be remiss to say that mr.
Garrett s credit card is now purchased at least three things online and is available widely on a russian website. But the in all seriousness. Though i mean that is the concern all of us have right you know when when we re calling in somewhere or buying something online in a very transient kind of economy that we have i think we all have a legitimate and serious concern. But i m curious mr.
Murphy from your perspective. Have you evaluated how many breaches breached companies are in compliance. With your pci standards at the time of their breach. Or have they have they had those standards and then it s caused them to take action or did they have them already and and they still were breached well what i would reference is the verizon report.
Which is an objective third party that looks at the data for breaches for the past ten years and the findings. There s two significant data points. That i would give you congressman. One is that ninety nine point nine percent of the breaches that have occurred were preventable and covered by the pci stand.
The second point is that i think that the the pci standard has done a very effective job. And there hasn t been one single compromise where the merchant or the entity was found in compliance. Okay. But i mean they are you saying they were gonna say more you know pocket thieves out.
There. I mean i don t know i m saying that fraudsters will develop new and innovative ways to crack the chip and commit fraud is that happening. Irishman duffy..
If i may the chip will defend against counterfeit lost and stolen at the point of sale. It will button down the point of sale. The physical environment once that environment is secured fraud will then move to the card not present environment right. It s what we observe in the asia pacific and european theaters.
Who ve had chip technology. Now. The chip technology is you cannot clone it so. What we ll see is it will migrate.
So how far away are we from tokenization for online purchases. Tokenization is a technology that s been around for ten years and now the acquiring community and technology vendors are and the price points have come down so point to point encryption coupled with tokenization coupled with emv at the point of sale is how we get to devaluing the data. So that it s useless so with card not clear so when we have when we have a chip does a retailer are they able to maintain data about the card in their database. If you if you just have a chip card as opposed to a magnetic strip.
There s again congressman. The chip is just going to work at the point of sale. How that merchant stores data can they store it so. What my question is listen we ve heard about all the retailers who had data breaches.
If we migrated to the exclusive use of chips. Does that mean that retailers are no longer keeping personal consumer data in their databases. Which means no they re not at risk to have breaches any longer no again. It s just taking off the thread at the point of sale so it s a critical layer.
But it s not a silver bullet. But on the back end. We teller still get back is nothing to where the information could be replaced. Though by tokenization could be protected by point to point recommendations on how long retailers are recommended of keeping financial information about consumers how long should be how long should a retailer keep that information.
It s really not necessary to keep that information um let me ask mr. Our fee you know that the end of your testimony that not a single company has been found to be compliant at the time of their breach. But in many cases firms that have been breach where at one point pci compliant how does your compliance framework lend itself if it all to ongoing monitoring. The pci compliance of what role does a pci play in monitoring.
Compliance. And thank you for that question. Yes..
Ninety. Nine point nine percent of the compromises were preventable and covered by the standard and if you if you think about our standard. What we re advocating is a move away from compliance to a risk based approach. And we are advocating vigilance and discipline mf and being methodical in paying close adherence to the standard security is a 24 by 7 responsibility.
It s not a matter of compliance. You know what we see happens is a company works diligently to bring its organization into compliance. They high five each other on thursday and friday. The environment starts to deteriorate.
So it s about being disciplined. Methodical and paying attention and to the fundamental. Sir right people in fergus. Miss dorothy unless here in this country.
We go down this path. Where we continue to work on this problem find solutions to it aren t we exposing our consumers and our families and our businesses to more cyber risk. If europe is ahead of us in other developed countries are parts of the world or ahead of us may. I answer that question.
Yeah. I think the technology is going to evolve here. We ll have good answers. Particularly mobile will be the future payments.
But i think what s really key is this information sharing effort that s in progress right now being able to collect that information translate it so it s actionable intelligence and then that will allow us to preempt attacks from organized crime rogue states and state funded actors. Thank you all very much appreciate thank you mr. Chair. You my time thank the gentleman elders anybody else wanna had on that well i think the fundamentals of the pci standard are applicable across all vertical markets.
I also share your concern in my discussions with law enforcement that the health care systems in particular will be a next big target protecting that data and following adherence to the pci standard would be would benefit those industries as well so the endgame really is you devalue the data so that it s useless in the hands of criminals and the three technologies that we ve talked about today do exactly that emv at the point of sale point to point encryption and tokenization you bundle lowes correctly. You implemented properly the value is useless. There s no reason to break in and yet if you did whatever you stole you can t use it ” ..
Thank you for watching all the articles on the topic PCI – Financial Data Security in the Age of Computer Hackers. All shares of thetruthaboutdow.org are very good. We hope you are satisfied with the article. For any questions, please leave a comment below. Hopefully you guys support our website even more.