The 'P' in PCI Should Stand for People
I've been listening to a lot of different perspectives at the PCI Security Standards Council community meeting this week. PCI experts, security experts, vendors, analysts and payment card industry leaders - all of them talking about protecting card data, securing the networks that carry the card data, and how technology is helping answer the growing list of security requirements, guidance and changes to the PCI data security standard.
There is never any mention of why they're doing all of this, or who ultimately is the biggest beneficiary. Who will benefit from a stronger payment process that protects card data? The obvious answer is: Everyone who has anything to do with handling card data, but especially the consumer who holds the card.
The card data breaches of retailers, payment processors and businesses have left many consumers shaking their heads, wondering why they don't just go back to paying cash. In listening to everyone speak here this week, I've not heard anyone mention the needs of the customer, not even in passing.
It's time to put the P back into PCI's focus -- the P standing for people, not payment. As one attendee noted to me about the credit cards in his wallet, "What I want to know is will there be a solution, or combination of them, that I can know is going to protect my cards and ultimately my credit ratings?"
The emerging technologies that can step up to offer better, faster, stronger ways to protect card data throughout the payment process are laudable, positive and promising. Transparency of all this for the customer and the realization why we're all doing this are important points to remember, too.
Everyone should put themselves in the shoes of an average cardholder who one day opens a statement only to find that an account has been compromised, and thousands of dollars of fraudulent charges have been made with the card. I hear from people to whom this has happened, and it is a truly bad experience.
Putting the P - people -- back into PCI's focus also will take the form of involving more constituents in the protection process, doing the basic things that stop the bad guys from getting into computer networks. I heard yesterday from Chris Novak of the Verizon Business Investigative Response Team that more than 80 percent of all breaches would have been spotted by the business had they just looked with a closer, more discerning eye at their log files. He suggests something as basic as log file monitoring on a regular, (think: daily) basis is a great place to start beating the bad guys.