Incoming PCI council head ready to take on the hackers

Stephen W. Orfei is the incoming general manager of the PCI Security Standards Council. He succeeds the council's first general manager, Bob Russo, who will retire at the end of 2014.

Orfei has decades of experience in payment technology, including 13 years in telecom with MCI International as director of international business marketing, and14 years in payments with MasterCard Worldwide, the last three as senior vice president of emerging payments platform, advanced technology.

Earlier this month, Orfei applauded President Obama's executive order requiring federal agencies to adopt EMV (chip and PIN) technology for government payment cards and for point-of-sale terminals at federal facilities.

In a statement, Orfei called EMV a "critical layer in any payment security strategy," but added that, "it is not by itself a silver bullet for data protection," since it does not stop malware or card-not-present attacks.

Orfei recently spoke with CSO about his goals for the council and about better security practices for the payment card industry.

CSO: In your view, what in your background and experience is the most important qualification for this post; and what drew you to PCI SSC?

Orfei: I was drawn to this position for one simple reason: The council is leading a critical fight we are taking on the hackers who have taken aim at our way of life and at our financial system. We are the good guys, fighting the good fight. I'm honored and humbled to lead this global cross-industry coalition in tackling the challenges of payment security.

My background and experience has had me on the front lines with merchants, technology companies and financial institutions. I am passionate about technology, payments and security, and I will be tireless in my efforts to fight this fight.

CSO: What are your short- and long-term goals while in this position?

Orfei: I have three: First, my vision for the council is to be a "Center of Excellence." We need to expand our focus on standards and become a trusted source for payment security matters. We'll provide subject matter expertise, best practices, security standards, vetted solutions, laboratory testing, training and education. We're moving in this direction with forthcoming studies on tokenization, mobile and cloud technologies that are crucial to the future of payment security.

Second, I would like to see us improve our collaboration across industries and sectors. No single organization can ensure payment security on its own. We need to work together with merchants, acquirers, financial institutions and law enforcement.

Third, I want to expand our geographic reach. Payment security is a global problem requiring global solutions. That's why I'm particularly excited about our upcoming meeting in Asia-Pacific, and we plan to have our first face-to-face meetings in the Middle East region next year.

CSO: Given that the holiday shopping season has also come to be known as "hacker season," what are the special/unusual risks confronting companies and shoppers?

Orfei: Make no mistake, hackers are hitting everything that's not nailed down, and they know that the holidays are a particularly vulnerable time for merchants. Not only does the increased number of payment transactions make retailers a high-value target for hackers, but also temporary staff changes and updates to systems that take place during this busy season can put businesses at increased risk. With these seasonal challenges against the backdrop of vulnerabilities and threats such as Shellshock and Backoff malware, it is more critical than ever for organizations to be vigilant.

CSO: What can merchants do to mitigate those risks?

Orfei: It's important for businesses to keep their eye on both their sales and their IT systems at all times. Organizations should prioritize the strong security principles found in PCI Standards, and maintain a multi-layered security approach that involves people, process and technology working together to protect consumers.

Take the time now to do an inventory of your computers and systems to ensure that all assets that touch the payment system have the latest software updates and patches.

Malware and other agents make their way into systems because basic controls fall down, such as changing passwords, patching systems, and managing access. In addition, make sure that you have monitoring and network surveillance in place to alert you immediately to any anomalous activities or changes to your systems that could put payment data at risk.

CSO: What are the most important technology investments organizations can make to minimize the value of data and ease compliance efforts to increase security?

Orfei: Rendering cardholder data useless to criminals is the end game. This means that even if a criminal is able to steal cardholder data, its possession should be impossible to exploit. We're at an exciting place today, in that we actually have the technology available to help us do this. EMV chip, tokenization and point-to-point encryption are more accessible and available than ever. Used together, these provide a layered approach to payment security that makes theft of cardholder data a non-event. Use of these technologies can also simplify the process of compliance.

CSO: Why should CSOs move beyond a strong defense to an aggressive offense? What do you mean by offense attacking the attackers, or something different?

Orfei: Offense means never taking your foot off the gas. Hackers are an unremitting, unrelenting foe. Our approach needs to meet this challenge. This means you're not stopping at protecting from the current attack vectors you're thinking steps ahead and continuing a layered approach to security.

Businesses must take a proactive approach to security that assumes all defenses will fail at some point. When defenses fail, you must be ready and prepared to address threats and mitigate them quickly. Be vigilant with your security efforts and include them in your corporate culture. On top of this, take advantage of the technology solutions available today that make cardholder data useless to attackers if they do steal it.

CSO: How should CSOs move to offense? What strategy and tactics will be the most effective?

Orfei: If we've learned anything from recent incidents, it's that payment security equals job security. Security is no longer merely "nice to have." It is critical to the success of any organization that accepts or processes payment cards. Businesses must prioritize security when making investments and take advantage of the technology solutions available today that help do this.

We urge executives to instill a culture of vigilance from the top down. Make PCI part of your "business as usual" routine. Doing just one security scan a year isn't going to cut it. We all need to admit that we're humans we make mistakes, so we must do everything in our power to stop costly accidents from happening. You are a part of the process of offensive security.

Starting in the boardroom, the conversation has to change from one that's compliance-based to a new focus on reducing risk and increasing security, every day and year-round not just at assessment time.

CSO: Explain how a "risk mitigation" approach differs from a compliance focus.

Orfei: Compliance is just a point-in-time measurement. Asking, "Am I compliant?" is not the same thing as, "Do I have a strong security strategy for continuously protecting payment card data?" We have to flip this focus and move the dialogue away from passing an audit once a year to building a culture of security vigilance that reduces risk with multi-layer controls.

CSO: How can the PCI DSS keep up with constantly evolving threats? Should it issue regular "patches" to its standards?

Orfei: "Patching" the DSS is not the right metaphor. A patch is issued to fix an error made by a programmer while writing software code. The DSS itself is a strong baseline standard to help businesses detect, prevent and defend against attacks on their systems. And we are committed to evolving not just the DSS, but all of the standards, best practices, guidance and solutions that can help businesses protect their payment information. For example, the council recently issued guidance on malware in response to threat vectors that have emerged in recent months.

CSO: Third-party relationships are said to be one of the most significant vulnerabilities for companies. What do you recommend for engaging and managing security within those relationships?

Orfei: Security is only as good as your weakest link which means the security practices of your business partners should be as high a priority as the integrity of your own systems. Proper due diligence and a risk assessment is critical in choosing trusted partners to ensure the security of your payment data and systems. One of our Special Interest Groups recently developed an excellent resource for businesses that provides practical recommendations on tackling this challenge.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsmastercardsoftwaredata protectionPCI

More about CSOMasterCard WorldwideMCI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts