The Visa Security Summit 2009 is going on today. You can watch a live webcast at http://www.visasecuritysummit.com (free registration required).
Ellen Richey, Chief Enterprise Risk Officer for Visa, Inc. wasted little time in her opening remarks before getting to the recent Heartland Payment Systems breach and Visa’s confidence in PCI DSS as an important tool in security. After quickly outlining progress that has been made in the areas of making payment security a priority in more companies, reducing fraud rates, expanding adoption of the Payment Card Industry Data Security Standard, and the creation of a National Cyber Advisor position, Richey turned to recent events:
But despite our progress, the reality is that public perceptions of data security continue to be shaped by visible exceptions where data is lost. One such event was the recent compromise at Heartland Payment Systems. I’m sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today. The fact is: it never should have.
As we’ve all read, the company had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack. Based on our findings following the compromise, Visa has taken the necessary step of removing Heartland from its online list of PCI DSS compliant service providers.
In addition, we are activating our account data compromise recovery programs, which are in place to protect our system and help issuers recoup some of their losses from compromise events. And Heartland will face fines and probationary terms proportionate to an event of this magnitude. While this situation is unfortunate, it does not make me question the tools we have at our disposal – in fact, it makes me resolved that we all should be redoubling our efforts to use every one of those tools effectively.
Richey did not mention RBS WorldPay’s breach at all, raising the question in this blogger’s mind as to whether Visa thinks that Heartland’s breach was somehow worse or more avoidable than RBS WorldPay’s. Both processors had claimed to be PCI DSS-compliant at the times of their respective breaches, and both had subsequently claimed that the attacks were “sophisticated.” In sharp contrast to their statements, Visa has reiterated the theme that no entity has been PCI DSS-compliant at the time of their breach and that validation is merely the first step.
The remainder of Richey’s opening remarks, which can be found here (.doc) focused on what Visa sees as the next steps, which include global initiatives to reduce stored data and increase PCI DSS compliance, while recognizing a prioritized approach that includes chip and encryption technologies that complement PCI compliance. She also described some new techniques that will be rolled out in the near future, including a challenge-response technique that has been piloted at OfficeMax, a targeted acceptance program that gives consumers the ability to set personal limits on type of card use, advances in mag-stripe technology, and expanding the availability of a transaction alert system that gives consumers the ability to monitor card activity in real-time so that fraud can be nipped in the bud. One of the priorities Richie outlined involves reducing the value of stolen data by authentication.
In a news release timed to coincide with the opening of the summit, Visa also released the results of a survey of 800 U.S. credit and debit cardholders. Surveyed between February 3-5, 2009, 59% said they had decided not to make an online purchase at a particular web site because they did not trust that site, while another 49% said they had opted not to shop with a merchant they did not recognize for fear of having their personal data stolen. The news release can be found here (.doc).