Backing Up Words with Action in Payments Security

Payment security is “more than a piece of paper,” says Joe Majka, Chief Security Officer at Verifone. While it’s all well and good for merchants to be confirmed as PCI DSS compliant, those who are should not consider their job done in terms of protecting customer (and their own) data. Majka recently shared with PYMNTS his thoughts on the continued efforts that these merchants need to make.

Cybercriminals are relentless in their attacks on U.S. merchants, always devising new methods to steal credit and debit card account information. Joe Majka, Chief Security Officer at Verifone, believes that card brands should be equally aggressive in pushing encryption and tokenization as they are with regards to EMV and the October liability shift. He spoke with PYMNTS recently about this ongoing need to “change the game.”

For starters, Majka addressed the phenomenon of restaurant and hospitality segments being aggressively targeted by hackers. A new strain of malicious software that has been heavily implicated in recent attacks on companies that provide POS service to restaurants, bars and hotels is “PoSeidon,” which is designed to steal credit and debit card data from registers.

While merchants are investing significant amounts of money and other resources in trying to achieve PCI-DSS compliance, said Majka, simply receiving that piece of paper (Report on Compliance) is not a catchall guarantee of a merchant’s effectiveness at keeping an intruder out of its network.

“Just look at all the mega-store breaches in the past years,” he warns. “Almost all impacted retailers had the PCI Report on Compliance (ROC), yet they were still hacked. The PCI ROC is only a ‘snapshot in time,’ and the card brands infer that merchants somehow must have fallen out of PCI compliance after the qualified security assessor (QSA) completed their assessment.”

Majka’s perspective is that, in many cases, the breached entity was never really in full compliance. He pointed to his experience investigating several cases where the hacker was actually in the merchant’s system at the same time the QSA was conducting the PCI assessment – and the QSA never detected the intruder.

While trying to prevent intruders from gaining system access is “always a good idea,” Majka strongly believes that businesses should focus on designing their Intrusion Detection Systems (IDS) to quickly identify intruders and have in place a thoroughly vetted incident response plan that can quickly contain breaches and minimize their damage.

“One of the most important steps a merchant can take to protect their brand and limit their liability in the event of a data breach is to devalue the payment card data within their environment,” said Majka.

To this point, data encryption and tokenization can eliminate access to payment card data that’s in the open. The data collected at the point of sale – be it through magnetic stripe, EMV or NFC card – can be encrypted there and then, and stay encrypted until it reaches a secure processing host. Additionally, Majka highlights the benefit of tokenizing card PANs to ensure merchants have a secure record for future reference.

“PCI is not going away,” he remarks, ”but merchants need to re-evaluate how to best invest their data security resources. When merchants employ a multi-layered approach to security utilizing encryption and tokenization – even if attackers manage to get in to the system – they can’t gather any usable data for criminal profit and mischief. That is where I’d like to see the industry focus its efforts.”

By eliminating usable data from the entire POS lifecycle, “there’s essentially nothing meaningful for thieves to compromise,” said Majka. To make the Report on Compliance “more than just a snapshot in time,” encryption and tokenization are invaluable additional elements in reducing the necessary scope of PCI.


Joe Majka - Verifone

 Joe Majka

Vice President and Chief Security Officer, Verifone

Joe Majka is Vice President and Chief Security Officer for Verifone, where he is responsible for leading the company’s global security operations. Majka has more than 30 years of experience in the financial services sector managing security, fraud, cybersecurity and data-breach incident response. For 18 years, Majka led Visa’s electronic payment data security incident response team, and was responsible for handling the payment industry’s largest merchant and processor data security breaches over the past decade.

As a leading security expert, Majka has spoken internationally on the subject of cybercrime and payment card fraud. In 2009, while Head of Global Fraud Control and Investigations for Visa, he testified before the U.S. House of Representatives Committee on Homeland Security, the Subcommittee on Emerging Threats, Cyber Security, and Science and Technology.

Joe Majka holds a Bachelor of Science degree in Sociology from California State University, East Bay and a lifetime teaching credential from the University of California, Berkeley.