Just how important is security standards and data protection in retail now days? Do you know how to protect your consumer credit data? To find out, Retail in Asia caught up with Bob Russo, the general manager of the Payment Card Industry (PCI) Security Standards Council, during his visit to Hong Kong for the CARTES in Asia conference. With more than 25 years of experience in high-tech business management, operations and security, Russo now guides the organistion through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process around the globe.
RIA: Can you tell us what the PCI Security Standards Council does?
Bob Russo (BR): The council is about five years old. It was formed in September 2006 by five credit card schemes – Visa, MasterCard, American Express, Discover and JCB. Prior to this council coming about each one of these schemes had their own security standard which looked similar but were all slightly different. Now there is one standard that is the foundation for each one of their compliance programmes. Compliance programmes are the different rules and different regulations on how they want their merchants to comply, with the security features now the same across each one of these five brands. The PCI Council also manage the standards, train the assessors, educate the globe – as these are globe standards – and we create awareness of why retailers need to be doing this.
RIA: So why should retailers comply with the PCI Security Standards?
BR: Very simply to prevent the lost of the credit card data. If the data is lost or stolen, it’s an inconvenience not only for retailers but also an inconvenience for consumers. Because the cards need to be reissued, fraudulent charges come on the cards causing issues for the consumers as well. And there’s a brand issue. That is probably the biggest reason why somebody should comply with this because most of these retailers have trusted names. For a big retailer in Hong Kong, it must have a very trusted name. People go and shop there all the time because they trust it and they know what they are going to get when they shop there. If they lose your credit card data, people have the tendency to lose trust in that brand. That’s the worst thing that can happen because once they lose the trust, the brand’s customers may not come back. They may go to another retailer and affect sales. That’s why it’s important.
RIA: Is it mandatory for all retailers to be compliant? Is there any penalty for not being compliant?
BR: The rule is that if you store, process or transmit credit card data, you must comply with these standards. And those are the compliance programmes of the five credit card brands. The biggest penalty is you get breached and someone steals all of your information. There are also penalties that are issued by these credit card brands globally if you are not complying with the standard.
RIA: How is the adoption of the PCI Security Standards in Asia?
BR: In Asia, it is an education issue. Right now, the adoption in Asia is quite good in Australia and New Zealand, as well as Japan. I think the reason that we don’t see very much adoption in Hong Kong is because people are not aware of the standards and don’t really understand what they are. But retailers need to be aware this is not something we are asking you to do that you are probably not already doing. These are good security practices that most retailers are probably already doing a good deal of.
RIA: How would you educate people and promote the standards in Asia?
BR: It’s promoted by us and the credit card brands, although you’ll see promotion by Visa, MasterCard, American Express and JCB to a lesser extent. We are currently talking to China Union Pay (CUP) at this point about the standards. We have been talking to them for a number of years to have them join the council but for a number of reasons, we have not been able to come together. However, hopefully in the near future we will have them as a member of the council as well. But again, the biggest impediment is that many people don’t know what the standards are and don’t understand the standards. So, that’s what we are doing – we are here educating, doing seminars, and conducting interviews. Right now, I visit the region once a year – a little infrequent – but as we begin to get increased participation, and companies in China begin to join the council, we will be here a lot more educating people. So it’s a slow education process, but a vital one.
RIA: Are there many Chinese companies joining the council?
BR: We haven’t seen that many. Simply because they don’t understand what the standards are and they don’t understand the benefits. That’s why what we are doing is so important – creating awareness of the standards and explaining what the benefits are to comply with them.
RIA: Why do you want to have China Union Pay join the council?
BR: CUP is aware of the standards. In fact, I’m sure they have standards now themselves that they are following and probably having their merchants follow. This standard, however, is not just a specific standard to one country. This is a standard that’s global. So it needs to be written in such a way so that people in North America, South America, Europe, Asia-Pacific can all use the same thing. We need participation from China to find out things that are specific to this region we may not know and see if we can build that into our standards.
RIA: What has stopped China Union Pay from joining the council in your mind?
BR: It’s an education process. They understand the necessity of security. They have their own standard at this point. This is a global standard and as CUP branches outside of China, they will need global standard that people have to follow. We have one already.
RIA: What do retailers need to do in order to protect consumers’ data?
BR: The first thing they need to do is that the credit card data, if they don’t need it for anything specific other than to just settle a payment, they really shouldn’t store it. Because if you store it, then it has to be protected as you run the risk that somebody will take it. If you don’t store it, there’s nothing to steal. Some retailers store data for marketing purposes – which you are allowed to do. However, if you do store it, it needs to be rendered unreadable in some form that is either encrypted, truncated or hatched. But, retailers should not store the actual credit card data – that’s the data on the front of the card. Also, the data that is on the magnetic strip or chip is authentication data should never be stored. There are rules against storing this type of data. Data that can be stored includes the credit number; but again, if you do store it, you have to make sure that it’s unreadable.
RIA: Google is teaming up with MasterCard and Citigroup to embed technology in Android mobile devices that would allow consumers to make purchases by waving their smartphones in front of a small reader at the checkout counter, according to The Wall Street Journal. Do you think there will be risks for retailers to accept credit cards by using mobile devices?
BR: All these mobile devices – Android devices, blackberries – whatever kind of telephone you have are inherently insecure. That’s the problem. Right now we are looking at standards. We formed a task force to look at these devices and look at these mobile devices as the acceptance item for a credit card. We will be coming out with guidance on mobile acceptance in the next a few months.
RIA: How can consumers tell if a vendor is PCI compliant when they are making payment?
BR: There isn’t a way to tell if they are PCI compliant or not. We do not allow merchants to use our logos to put on their websites, on their tills, or on their cash registers to say that they are PCI compliant. Because we believe that it pins target on them so that hackers will say "Oh yeah, he says he is PCI compliant. Let me try and hack in just to show people that he is not". It’s a real problem for us. We also don’t allow people to use our logo to say they are PCI compliant. And they don’t report their compliance to the council, they report their compliance to the credit card schemes or to the requiring banks but not to us. So we don’t really know if they are PCI compliant or not. We just create the standard and educate.
RIA: Can you give some advice to consumer on how to protect themselves when they pay for purchases by cards or mobile devices?
BR: There are a lot of ways to protect yourself. With these mobile devices, now you have the ability to get a text message or email when somebody has spent something on your account. In most cases, you have the ability to monitor what’s going on with your credit cards. You can either go on to a website and monitor it or the very least you should be doing is looking at your statements every month that come in as a consumer to make sure that all of the charges are legitimate charges. That’s probably the only way that you can really find out what’s going on and stay on top it all.
RIA: What is the biggest challenge of PCI compliance so far?
BR: It’s the education challenge. People do not understand what this is and they think it’s like a government telling them "now you have to do this". It’s not the case. These are standards that are best practices in the security business. Most retailers are probably doing a good part of what we are asking them to do already because it’s just good business to do this way.
For more information on PCI standards and compliance, visit PCI Security Standards Council.
CARTES in Asia is a regional Exhibition for the Asia-Pacific market and a high-level congress covering digital security and smart technologies. Organised by Comexposium, CARTES in Asia 2011 is the second edition of the event. It was held from 29 to 31 March at Asia World Expo, Hong Kong.
Taking Stock is Retail in Asia’s column dedicated to showcasing opinions and providing advice from experts in the retail industry.