While cybercriminals grow increasingly businesslike, too many U.S. businesses aren’t covering the basics for data security, Visa’s risk chief told a conference last week in Washington, D.C., according to American Banker.
“Some very basic security prevention measures are not being taken, such as not changing a default password,” Visa vice chairman of risk and public policy Ellen Richey said during the “In Digital We Trust” conference on Thursday (March 26). She added that merchants were clearly having a hard time meeting the requirements of Payment Card Industry (PCI) security standards, and the payments industry “has a lot of work to do.”
Visa spearheaded the effort to create the PCI Data Security Standards in 2004, and the card networks penalize merchants who can’t pass an annual audit by charging them higher payment-card transaction fees. But for many merchants, that has resulted in an annual exercise in tightening security just enough — and for just long enough — to pass the audit. In the time between the big tests, 80 percent of merchants fail interim PCI compliance assessments, a Verizon Enterprise study reported.
Another problem is lack of communication and coordination among businesses who could be hit by cyberthieves. The federal government could be a key partner for that, as well as a way of avoiding potential antitrust concerns for retailers or other businesses trying to pool information related to breaches and threats.
But federal departments, especially law enforcement agencies, tend to have one-way doors: information goes in, but it doesn’t come back out. “This is a structural problem,” said First Data VP of public affairs Kim Ford. “The government could do more to foster collaboration and bring the parties together.”
Ford added that technical approaches to devalue the information that cyberthieves want, such as tokenization, are finally making headway. While Apple Pay has raised tokenization’s profile dramatically in the months since Apple’s mobile payments system rolled out, other industry players have been pushing it as a security measure for much longer.
“It was slow going for tokenization a couple of years ago,” Ford said, “but now we are getting close to 2 billion transactions that have used our tokenization and encryption.”