There’s nothing like a payments or consumer data breach to make the news and raise consumer’s fears about the security of their sensitive information. But while many merchants now move more quickly towards deploying EMV and other solutions, many more are still not suitably up to speed on or involved in the process. Joe Majka, Vice President and Chief Security Officer at Verifone, sat down with MPD CEO Karen Webster to examine how the security conversation has changed with the industry’s move to mobile, and how merchants of all sizes, without being proactive, could turn into fraudster prey.
KW: What is VeriFone’s perspective with respect to how secure the payments industry is today, and what is the state of security with respect to the new mobile and digital initiatives happening in the space?
JM:In the current environment, especially with the recent data breaches, there has never before been this heightened level of interest and awareness of data security. One of the top priorities in 2014 is security, and it’s at the forefront of everything we do at Verifone. Security is built into VeriFone’s DNA. For the last 33 years, we’ve developed and delivered products and services that provide industrial-strength security to the payments space.
KW: Security is such a broad topic. Are there a couple of specific areas that you talk to retailers about and try to get them to focus on?
JM:We are constantly engaging our clients to talk about security issues and understand their concerns so that we know when we are building our products and services, we have their needs and concerns in mind. At the top of the list is protecting sensitive data. Everybody needs to protect sensitive data, especially in the payments industry where criminals can monetize that data for their profits. I think that’s at the forefront of many of the attacks that we see today.
KW: Protecting sensitive data is a number one priority, but what is the best approach to doing that? Is there one solution or are there many?
JM: It’s very clear that we have to take a layered approach to security. In the payments space, that layered approach is using EMV as a technology coupled with encryption, and tokenization. Also, PCI has done a good job in terms of setting a data standard, but it’s really the baseline. Merchants and companies need to be going above and beyond that, however.
KW: But how do merchants operationalize this? It must be very overwhelming for them to be thinking about this proactively now when they haven’t given it as much thought before. What has to change?
JM: We have to make the process simpler for merchants. PCI’s standards were a good starting point, but they overwhelmed merchants. There must be a simpler approach offered to provide them with a solution that secures and encrypts their transactions through the payment cycle. This would take that burden of securing the data away from the merchant so they can focus on their tasks at hand.
KW: Let’s talk about EMV, especially with the news about the coming liability shift. The perspective that VeriFone has on EMV is that it is necessary – how do you have that conversation with merchants?
JM: It’s really about making sure that the merchants understand that EMV itself is not the total solution but a part of the puzzle of data security. Without encryption and tokenization to go along with it, criminals can take data that’s clear in the system and use it again.
KW: One of the things that merchants are asking about is the role of EMV, a card-based solution, and the move to mobile solutions. How do you help explain how those two things work together?
JM: Looking forward to where we are going with mobile and EMV, I think that the two technologies are going to exist in combination for a number of years. It’s clear that payment cards with EMV technology will be used in card-present transactions, but then there will be the mobile devices used as the payment device itself. What we try to do at VeriFone is make sure the devices that we provide are capable of both handling EMV cards and mobile devices.
KW: So how has the conversation changed since the data breaches? Are you seeing all types of merchants increase their enthusiasm for EMV? Are there certain categories that will be the last to make the change?
JM: With the large data breaches over the last few years, everybody is aware of the problem. These recent breaches have been the tipping point. These large merchants will begin to install equipment into their retail locations that are ready to accept EMV transactions. At the same time, there is a push to get issuers to issue EMV cards, which will really change the environment.
However, mid-size and smaller merchants will be more difficult to motivate to install these technologies. The education process that needs to be in place should show them the levels of security and tools available that can protect their environment. There’s still an attitude out there that the smaller and mid-size merchants won’t be breached, but that’s a naïve assumption. The public hears about these larger breaches, but everyday there are thousands of smaller merchants that are victimized by computer hackers around the world. These criminals are more sophisticated than ever, and they aren’t really targeting a specific sized merchant. They are just looking for the vulnerable ones.
Vice President & Chief Security Officer at VeriFone
Joe Majka is Vice President and Chief Security Officer for VeriFone, where he is responsible for leading VeriFone’s global security operations across the business enterprise. Areas of security oversight include product, services, hardware, information, facilities and emerging risk.
Majka has more than 30 years of experience in the financial services sector, managing security, fraud, cybersecurity and data breach incident response. During the past 18 years, he has managed electronic payments fraud for Visa and is considered one of the leading industry experts in the industry and has spoken internationally on the subject of cybercrime and payment card fraud.
During his career at Visa, Majka lead Visa’s data security incident response team, handling the payment industry’s largest merchant and processor data security breaches over the past decade.
In 2009, as Head of Global Fraud Control and Investigations for Visa, Majka testified before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, CyberSecurity and Science and Technology.
Majka holds a bachelor’s degree from California State University, East Bay and a life-time teaching credential from the University of California, Berkeley.