Working together in Europe makes us stronger

Sometimes a simple idea helps us all to be better and stronger, and in ways we never could have imagined.  For example, the international standardization of shipping containers after World War II radically cut the costs of global trade and simplified moving cargo on ships, trains, trucks and aircraft.  Today, nearly all non-bulk cargo is transported in five common standard sizes of containers.  All thanks to working together within a standard framework nearly seven decades ago. 

It is in that spirit that the PCI Security Standards Council recently formalized a strategic partnership with the European Card Payment Association (ECPA) around payment card data security. ECPA represents 10 domestic debit brands and three card associations. This unique collaboration is significant because it will result in greater collaboration between the U.S. and Europe on payment card data security, reinforce the tremendous benefits of a single, global card payment security standard, and maintain the integrity and trust of the payments system worldwide.      

{mosads}This exciting new partnership means that ECPA will now be a strategic regional member of the PCI Security Standards Council with the shared goal of a single, globally unified data security standard.  ECPA will collaborate on future versions of the global PCI Data Security Standard and be an advocate for the adoption of the PCI Standard by its members in conformance with European Union regulations.  This new alliance has been encouraged and is applauded by the European Central Bank.  By closely working together, PCI-ECPA will be a positive force for stronger payment security in Europe. 

According to the Center for Strategic and International Studies cybercrime costs the global economy $575 billion dollars each year with that number expected to grow in 2016. In the U.S., the country hardest hit by cybercrime, hacking attacks in 2015 cost the average American firm $15.4 million, double the global average.  Fraud across payment cards was up throughout Europe for Card-Not-Present (CNP/Mobile and e-commerce) as anticipated.  While EMV chip technology continues to deliver on its promise of stopping fraud at the point-of-sale, cybercriminals have now shifted to card-not-present fraud as anticipated.  That similar trend is also happening in the United States.  On top of those challenges, an ever growing cybersecurity skills gap is projected to result in a two million person shortage of cybersecurity professionals by 2019.  The PCI Council will train over 5,000 security professionals this year alone.  Collaboration between standards bodies, both public and private sectors is essential – in fact, it’s the only way forward. 

As long as it can be bought and sold by criminals, payment data will be a target for hackers.  However, it might come as a surprise to many that 99.9% of the headline-grabbing payment card data breaches we’ve seen over the past few years were entirely preventable. Payment data breaches, in contrast to the sophisticated cyber espionage attacks we read about, are surprisingly simple and preventable. Most breaches involving credit card data have been neither sophisticated nor “new.” Not updating software and using default passwords are two very common careless mistakes that lead to easy break-ins by the bad guys.  Criminals often go for the quickest, low-hanging fruit – the unlocked cyber door that they can just walk through. 

This fact was confirmed in a Verizon security analysis report in 2015 that studied data breaches over the past decade and found almost every breach due to exploited vulnerabilities could have been prevented with PCI Data Security Standards at the time of their breach.   The problem was often a lack of discipline!  While cybersecurity sounds cool and exciting, much of the work that we must perform day in and day out can be monotonous.  Being disciplined and methodical in your approach, making it “business as usual”, being vigilant, applying your routines and looking for the abnormalities is critical to success.  Security standards work but only when executed properly all of the time.     

As we have seen in recent years, trouble often looms when stakeholders get confused by non-standard approaches to payment security.  The push-and-tug of competing standards, laws, regulations and variations between countries and regions can bog companies down with trying to figure out what to do without getting clobbered by a breach and its devastating fallout.  With that challenge in mind, the PCI-ECPA strategic partnership hopes to simplify the path to greater data security by helping all stakeholders achieve their goals – including governments and regulatory agencies. 

We simply cannot win the fight against cybercrime without working together which is why we are so excited to have ECPA at the table with us as a strategic regional member.  ECPA will play a key role in participating and contributing to our work products, working across the payment eco system – with merchants, technology vendors and regulators to promote a single global payment data security standard that works.  That is a very big deal on both sides of the pond.

Orfei is General Manager, PCI Security Standards Council