This month the PCI Security Standards Council entered a new era with the installment of a new general manager as Bob Russo, its founding GM, prepares for retirement at yearend. Russo's successor is Stephen Orfei, a tech industry veteran with experience in telecommunications, emerging payment technology, and cyber security.
Orfei was introduced to PCI ecosystem partners at the North American PCI Community Meeting this month. He is coming to his new role with a fresh approach, and he hopes to build on Russo's work in a number of key areas. First on his list of priorities is evangelizing a mind shift away from, of all things, compliance.
Though the PCI SSC was originally created as a standards-setting body that existed primarily to maintain standards to which merchants, acquirers, and other payment entities need to adhere, Orfei says the time has come for a change. PCI standards will always exist as a baseline for compliance, but Orfei hopes to use the council to break out the soapbox and tout the importance of prioritizing risk-based security over simple compliance.
"I don't think we can go forward with the attitude of either you're compliant or you're not," he says. "I think a risk-based approach is one that makes sense and will allow us to take significant risks off the table." As he explains, he wants to avoid the situation where a business takes 10 of 12 risks off the table but, because it cannot immediately comply with the last two risks, it gives up being vigilant about risk reduction by saying, "I'm just going to throw the dice, because I can't bring the organization into compliance, and this effort is for nothing if I can't comply."
A center of excellence
Instead, he wants to urge organizations to still prioritize and take big threats off the table but continue to develop and execute plans for better risk reduction over time. He believes the council is in a good position to help them do that by shifting its position in the industry. Rather than simply being a global security standards organization, Orfei would like to build the council into what he calls a "center of excellence."
The idea is not only to tweak the baseline standards by which the payment ecosystem must comply, but also to develop and disseminate the best practices for a higher level of security.
"I want the market to look to us for the subject matter expertise, for the best practices, for the standards, for the vetting of solutions, for our laboratories to do the testing," he says. "The continuum is one of going to the market with best practices to get to a baseline standard, and then as a center of excellence, we also need to describe what a gold standard looks like for those who have the appetite and desire to take it to the next level."
In the meantime, Orfei believes that organizations can start down the path of risk-based security in five key areas:
- Monitoring and surveillance: Organizations must improve the way they monitor their network and data resources in order to stay on top of incoming threats.
- Patching: Patch management remains one of the most effective ways organizations can drastically reduce risk to their systems and PCI-relevant data.
- Using technology to devalue data: With EMV coming down the pike and technology like point-to-point encryption and tokenization more affordable and usable than ever, organizations need to leverage technology to make data worthless to attackers.
- Making security a KPI: Organizations that find ways to make security a key performance indicator, not just in IT but across the business, are more likely to develop a culture of security.
- Remaining vigilant beyond compliant point in time: Organizations need to remember that compliance is just a point-in-time metric. They have to remain vigilant with risk reduction even when the assessors are gone.