A Silicon Valley executive said Monday he doubts whether the card industry's prevailing data security standard can continue to provide meaningful consumer payment data protection.

Eric Chiu, co-founder and president of cloud security firm HyTrust, told Credit Union Times 2014 could become the Year of the Data Security Breach unless payment industry executives find a way to more quickly and thoroughly update card data security standards and practices.

The payments industry in the U.S. has relied upon merchants, processors and issuers complying with the requirements of the Payment Card Industry Data Security Standard since the end of 2004, and Chiu praised the standard for having prevented an unknown number of attacks and breaches.

“We would probably be even worse off if we didn't have it,” he said.

The existing PCI DSS seeks to maintain payment card data security by mandating what parts of the process must be encrypted and what level of complexity that encryption must maintain. It also limits the amount of consumer payment data that retailers can store online.

But by its nature, the standard is slow to update, complicated to monitor and difficult to implement, Chiu said, and there is evidence hackers have found new and innovative ways to repeatedly defeat it.

Chiu pointed out the data standard is also tasked with protecting a steadily growing amount of data; reports suggest that data taken from Target, Neiman Marcus and other retailers did not pertain to payment data, but also names and addresses and other consumer data taken from other parts of the retailer's network.

“What I have been saying for some time is that we may need to change our data security approach from solely protecting the data and networks from intruders on the outside and also start focusing on protecting data from intruders we believe have managed to get inside,” Chiu said.

Too many data protection regimes are like M+M candies, he explained.

“They are hard on the outside and soft on the inside,” Chiu said. “Retail corporations, processors, anyone who is keeping consumer data need to start asking themselves 'how would I protect consumer data if I believed hackers were already able to access out network.'”

Chiu agreed more widespread movement to cards that validate transactions through embedded chips would go a long way to fight fraud at the point of sale, but added the steadily expanding range of targets for theft means protecting data networks will remain an abiding concern for some time.

“Since consumer data can be held and used for identity theft and other frauds for months and possibly years later, its value has steadily risen. Anything that valuable is going to need additional protection,” Chiu observed.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.