Stephen W. Orfei is the incoming general manager of the PCI Security Standards Council. He succeeds the council's first general manager, Bob Russo, who will retire at the end of 2014.
Orfei has decades of experience in payment technology, including 13 years in telecom with MCI International as director of international business marketing, and14 years in payments with MasterCard Worldwide, the last three as senior vice president of emerging payments platform, advanced technology.
Earlier this month, Orfei applauded President Obama's executive order requiring federal agencies to adopt EMV (chip and PIN) technology for government payment cards and for point-of-sale terminals at federal facilities.
In a statement, Orfei called EMV a "critical layer in any payment security strategy," but added that, "it is not by itself a silver bullet for data protection," since it does not stop malware or card-not-present attacks.
Orfei recently spoke with CSO about his goals for the council and about better security practices for the payment card industry.
CSO: In your view, what in your background and experience is the most important qualification for this post; and what drew you to PCI SSC?
Orfei: I was drawn to this position for one simple reason: The council is leading a critical fight we are taking on the hackers who have taken aim at our way of life and at our financial system. We are the good guys, fighting the good fight. I'm honored and humbled to lead this global cross-industry coalition in tackling the challenges of payment security.
My background and experience has had me on the front lines with merchants, technology companies and financial institutions. I am passionate about technology, payments and security, and I will be tireless in my efforts to fight this fight.
CSO: What are your short- and long-term goals while in this position?
Orfei: I have three: First, my vision for the council is to be a "Center of Excellence." We need to expand our focus on standards and become a trusted source for payment security matters. We'll provide subject matter expertise, best practices, security standards, vetted solutions, laboratory testing, training and education. We're moving in this direction with forthcoming studies on tokenization, mobile and cloud technologies that are crucial to the future of payment security.
Second, I would like to see us improve our collaboration across industries and sectors. No single organization can ensure payment security on its own. We need to work together with merchants, acquirers, financial institutions and law enforcement.
Third, I want to expand our geographic reach. Payment security is a global problem requiring global solutions. That's why I'm particularly excited about our upcoming meeting in Asia-Pacific, and we plan to have our first face-to-face meetings in the Middle East region next year.
CSO: Given that the holiday shopping season has also come to be known as "hacker season," what are the special/unusual risks confronting companies and shoppers?
Orfei: Make no mistake, hackers are hitting everything that's not nailed down, and they know that the holidays are a particularly vulnerable time for merchants. Not only does the increased number of payment transactions make retailers a high-value target for hackers, but also temporary staff changes and updates to systems that take place during this busy season can put businesses at increased risk. With these seasonal challenges against the backdrop of vulnerabilities and threats such as Shellshock and Backoff malware, it is more critical than ever for organizations to be vigilant.
CSO: What can merchants do to mitigate those risks?
Orfei: It's important for businesses to keep their eye on both their sales and their IT systems at all times. Organizations should prioritize the strong security principles found in PCI Standards, and maintain a multi-layered security approach that involves people, process and technology working together to protect consumers.
Take the time now to do an inventory of your computers and systems to ensure that all assets that touch the payment system have the latest software updates and patches.
Malware and other agents make their way into systems because basic controls fall down, such as changing passwords, patching systems, and managing access. In addition, make sure that you have monitoring and network surveillance in place to alert you immediately to any anomalous activities or changes to your systems that could put payment data at risk.
CSO: What are the most important technology investments organizations can make to minimize the value of data and ease compliance efforts to increase security?
Orfei: Rendering cardholder data useless to criminals is the end game. This means that even if a criminal is able to steal cardholder data, its possession should be impossible to exploit. We're at an exciting place today, in that we actually have the technology available to help us do this. EMV chip, tokenization and point-to-point encryption are more accessible and available than ever. Used together, these provide a layered approach to payment security that makes theft of cardholder data a non-event. Use of these technologies can also simplify the process of compliance.
CSO: Why should CSOs move beyond a strong defense to an aggressive offense? What do you mean by offense attacking the attackers, or something different?
Orfei: Offense means never taking your foot off the gas. Hackers are an unremitting, unrelenting foe. Our approach needs to meet this challenge. This means you're not stopping at protecting from the current attack vectors you're thinking steps ahead and continuing a layered approach to security.
Businesses must take a proactive approach to security that assumes all defenses will fail at some point. When defenses fail, you must be ready and prepared to address threats and mitigate them quickly. Be vigilant with your security efforts and include them in your corporate culture. On top of this, take advantage of the technology solutions available today that make cardholder data useless to attackers if they do steal it.
CSO: How should CSOs move to offense? What strategy and tactics will be the most effective?
Orfei: If we've learned anything from recent incidents, it's that payment security equals job security. Security is no longer merely "nice to have." It is critical to the success of any organization that accepts or processes payment cards. Businesses must prioritize security when making investments and take advantage of the technology solutions available today that help do this.
We urge executives to instill a culture of vigilance from the top down. Make PCI part of your "business as usual" routine. Doing just one security scan a year isn't going to cut it. We all need to admit that we're humans we make mistakes, so we must do everything in our power to stop costly accidents from happening. You are a part of the process of offensive security.
Starting in the boardroom, the conversation has to change from one that's compliance-based to a new focus on reducing risk and increasing security, every day and year-round not just at assessment time.
CSO: Explain how a "risk mitigation" approach differs from a compliance focus.
Orfei: Compliance is just a point-in-time measurement. Asking, "Am I compliant?" is not the same thing as, "Do I have a strong security strategy for continuously protecting payment card data?" We have to flip this focus and move the dialogue away from passing an audit once a year to building a culture of security vigilance that reduces risk with multi-layer controls.
CSO: How can the PCI DSS keep up with constantly evolving threats? Should it issue regular "patches" to its standards?
Orfei: "Patching" the DSS is not the right metaphor. A patch is issued to fix an error made by a programmer while writing software code. The DSS itself is a strong baseline standard to help businesses detect, prevent and defend against attacks on their systems. And we are committed to evolving not just the DSS, but all of the standards, best practices, guidance and solutions that can help businesses protect their payment information. For example, the council recently issued guidance on malware in response to threat vectors that have emerged in recent months.
CSO: Third-party relationships are said to be one of the most significant vulnerabilities for companies. What do you recommend for engaging and managing security within those relationships?
Orfei: Security is only as good as your weakest link which means the security practices of your business partners should be as high a priority as the integrity of your own systems. Proper due diligence and a risk assessment is critical in choosing trusted partners to ensure the security of your payment data and systems. One of our Special Interest Groups recently developed an excellent resource for businesses that provides practical recommendations on tackling this challenge.