On 5 March 2014, PCI SSC Chief Technology Officer Troy Leach testified before the Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit on the topic of ” Data Security: Examining Efforts to Protect Americans’ Financial Information”

Page 1 of 6






Statement for the Record

Troy Leach
Chief Technology Officer
Payment Card Industry Security Standards Council

Before the Committee on Financial Services,
Subcommittee on Financial Institutions and Consumer Credit
United States House of Representatives
Data Security: Examining Efforts to Protect Americans’ Financial Information
March 5, 2014
2128 Rayburn House Office Building


Introduction
Chairwoman Capito, Ranking Member Meeks, members of the subcommittee, on behalf of the PCI Security
Standards Council, thank you for inviting us to testify today before the subcommittee.

My name is Troy Leach and I am the Chief Technology Officer of the
Payment Card Industry (PCI) Security
Standards Council (SSC), a global industry initiative and membership organization, focused on securing
payment card data. Working with a global community of industry players, our organization has created data
security standards—no tably the PCI Data Security Standard (PCI DSS)— certification programs, training
courses, and best practice guidelines to help improve payment card security.

Together with our community of over one thousand of the world’s leading businesses, we’re tackling data
security challenges from password complexity to proper protection of PIN entry devices on terminals. Our work
is broad for a simple reason: there is no single answer to securing payment card data. No one technology is a
panacea; security requires a multi-layered approach across the payment chain.

The PCI Security Standards Council is an excellent example of effective industry collaboration to develop
private sector standards. Simply put, the PCI Standards are the best line of defense against the criminals
seeking to steal payment card data. And while several recent high profile breaches have captured the nation's
attention, great progress has been made over the past seven years in securing payment card data through a
collaborative cross-industry approach, and we continue to build upon the way we protect this data.

Consumers are understandably upset when their payment card data is put at risk of misuse and— while the
PCI Security Standards Council is not a name most consumers know—we are sensitive to the impact that
breaches cause for consumers. Consumers should take comfort from the fact that a great number of the
organizations they do business with have joined the PCI SSC to collaborate in efforts to better protect their
payment card data.

Page 2 of 6

Payment card security: a dynamic environment

Since the threat landscape is constantly evolving, the PCI SSC expects its standards to do the same.
Confidence that businesses are protecting payment card data is paramount to a healthy economy and
payment process—both in person and online. That’s why to date, more than one thousand of the world’s
leading retailers, airlines, banks, hotels, payment processors, government agencies, universities, and
technology companies have joined the PCI Council as members and as part of our assessor community to
develop security standards that apply across the spectrum of today’s global multi-channel and online
businesses.

Our community members are living on the front lines of this challenge and are therefore well placed, through
the unique forum of the PCI Security Standards Council, to provide input on threats they are seeing and ideas
for how to tackle these threats through the PCI Standards.

The Council develops standards through a defined,
published three year lifecycle. Our Participating
Organization members told us that three years was the appropriate timeframe to update and deploy security
approaches in their organizations. In addition to the formal lifecycle, the Council and the PCI community have
the resources to continually monitor and provide updates through standards, published FAQs, Special Interest
Group work, and guidance papers on emerging threats and new ways to improve payment security. Examples
include updated
wireless guidance and security guidelines for merchants wishing to accept mobile payments.

This year, on January 1, 2014, our latest version of the PCI Data Security Standard
(PCI DSS) became
effective. This is our overarching data security standard, built on 12 principles that cover everything from
implementing strong access control, monitoring and testing networks, to having an information security policy.
During updates to this standard, we received hundreds of pieces of feedback from our community. This was
almost evenly split between feedback from domestic and international organizations, highlighting the global
nature of participation in the PCI SSC and the need to provide standards and resources that can be adopted
globally to support the international nature of the payment system.

This feedback has enabled us to be directly responsive to challenges that organizations are facing every day in
securing cardholder data. For example, in this latest round of PCI DSS revisions, community feedback
indicated that changes were needed to secure password recommendations. Password strength remains a
challenge—as “password” is still among the most common password used by global businesses—and is
highlighted in
industry reports as a common failure leading to data compromise. Small merchants in particular
often do not change passwords on point of sale (POS) applications and devices. With the help of the PCI
community, the Council has updated requirements to make clear that default passwords should never be used,
all passwords must be regularly changed and not continually repeated, should never be shared, and must
always be of appropriate strength. Beyond promulgating appropriate standards, we have taken steps through
training and public outreach to educate the merchant community on the importance of following proper
password protocols.

Recognizing the need for a multi-layer approach, in addition to the PCI DSS, the Council and community have
developed standards that cover payment applications and point of sale devices. In other areas, based on
community feedback, we are working on standards and guidance on other technologies such as tokenization
and point-to-point encryption. These technologies can dramatically increase data security at vulnerable points
along the transactional chain. Tokenization and point-to-point encryption remove or render payment card
information useless to cyber criminals, and work in concert with other PCI Standards to offer additional
protection to payment card data.

In addition to developing and updating standards, the PCI community votes annually on which topics they
would like to explore with the Council and provide guidance on. Over the last few years the working groups
formed by the Council to address these concerns have collaborated with hundreds of organizations to produce
resources on third party security assurance, cloud computing, best practices for maintaining compliance, e-

Page 3 of 6

commerce guidelines, virtualization, and wireless security. Other recent Council initiatives have addressed
ATM security, PIN security, and mobile payment acceptance security for developers and merchants.


EMV Chip & PCI Standards—a strong combination

One technology that has garnered a great deal of attention in recent weeks is EMV chip—a technology that
has widespread use in Europe and other markets. EMV chip is an extremely effective method of reducing
counterfeit and lost/stolen card fraud in a face-to-face payments environment. That is why the PCI Security
Standards Council supports the deployment of EMV chip technology.

Global adoption of EMV chip, including broad deployment in the U.S. market, does not preclude the need for a
strong data security posture to prevent the loss of cardholder data from intrusions and data breaches. We
must continue to strengthen data security protections that are designed to prevent the unauthorized access
and exfiltration of cardholder data.

Payment cards are used in variety of remote channels—such as electronic commerce—where today’s EMV
chip technology is not typically an option for securing payment transactions. Security innovation continues to
occur for online payments beyond existing fraud detection and prevention systems. Technologies such
authentication, tokenization, and other frameworks are being developed, including some solutions that may
involve EMV chip— yet broad adoption of these solutions is not on the short-term horizon. Consequently, the
industry needs to continue to protect cardholder data across all payment channels to minimize the ongoing
risks of data loss and resulting cross-channel fraud that may be experienced in the online channel.

Nor does EMV chip negate the need for secure passwords, patching systems, monitoring for intrusions, using
firewalls, managing access, developing secure software, educating employees, and having clear processes for
the handling of sensitive payment card data. These processes are critical for all businesses—both large
retailers and small businesses—who have become a target for cyber criminals. For smaller businesses, EMV
chip technology will have a strong positive impact. But if small businesses are not aware of the need to secure
other parts of their systems, or if they purchase services and products that are not capable of doing that for
them, then they will still be subject to the ongoing exposure of the compromise of cardholder data and resulting
financial or reputational risk.

Similarly, protection from malware-based attacks requires more than just EMV chip technology. Reports in the
press regarding recent breaches point to the insertion of complex malware. EMV chip technology could not
have prevented the unauthorized access, introduction of malware, and subsequent exfiltration of cardholder
data. Failure of other security protocols required under Council standards is necessary for malware to be
inserted.

Finally, EMV chip technology does not prevent memory scraping, a technique that has been highlighted in
press reports of recent breaches. Other safeguards are needed in order to do so. In our latest versions of
security standards for Point of Sale devices, (PCI PIN Transaction Security Requirements), the Council
includes requirements to further counter this threat. These include improved tamper responsiveness so that
devices will “self-destruct” if they are opened or tampered with, and the creation of electronic signatures that
prevent applications that have not been “whitelisted” from being installed. Our recently released update to the
standard, PTS 4.0, requires a default reset every 24 hours that would remove malware from memory and
reduce the risk of data being obtained in this way. By responding to the Council’s PTS requirements, POS
manufacturers are bringing more secure products to market that reflect a standards development process that
incorporates feedback from a broad base of diverse stakeholders.

Used together, EMV chip, PCI Standards, along with many other tools, can provide strong protections for
payment card data. I want to take this opportunity to encourage all parties in the payment chain— whether they

Page 4 of 6

are EMV chip ready or not—to take a multi -layered approach to protect consumers’ payment card data. There
are no easy answers and no shortcuts to security.

Global adoption of EMV chip is necessary and important. Indeed, when EMV chip technology does become
broadly deployed in the U.S. marketplace and fraud migrates to less secure transaction environments, PCI
Standards will remain critical.


Beyond Standards – building a support infrastructure

An effective security program through PCI is not focused on technology alone; it includes people and process
as key parts of payment card data protection. PCI Standards highlight the need for secure software
development processes, regularly updated security policies, clear access controls, and security awareness
education for employees. Employees have to know not to click on suspicious links, why it is important to have
secure passwords, and to question suspicious activity at the point of sale.

Most standards organizations create standards, and no more. PCI Security Standards Council, however,
recognizes that standards, without more, are only tools, and not solutions. And this does not address the
critical challenges of training people and improving processes.

To help organizations improve payment data security, the Council takes a holistic approach to securing
payment card data, and its work encompasses both PCI Standards development and maintenance of
programs that support standards implementation across the payment chain. The Council believes that
providing a full suite of tools to support implementation is the most effective way to ensure the protection of
payment card data. To support successful implementation of PCI Standards, the Council maintains programs
that certify and validate certain hardware and software products to support payment security. For example, the
Council wants to make it easy for merchants and financial institutions to deploy the latest and most secure
terminals and so maintains a
public listing on its website for them to consult before purchasing products. We
realize it takes time and money to upgrade POS terminals and we encourage businesses that are looking to
upgrade for EMV chip to consider other necessary security measures by choosing a POS terminal from this
list. Similarly, we are supporting the adoption of point-to-point encryption, and listing appropriate solutions on
our website to take a solutions-oriented approach to helping retailers more readily implement security in line
with the PCI standards.

Additionally, the Council runs a program that develops and maintains a pool of global assessment personnel to
help work with organizations that deploy PCI Standards to assess their performance in using PCI Standards.
The Council also focuses on creating education and training opportunities to build expertise in protecting
payment card data in different environments and from the various viewpoints of stakeholders in the payment
chain. Since our inception, we have trained tens of thousands of individuals, including staff from large
merchants, leading technology companies and government agencies. Finally, we devote substantial resources
to creating public campaigns to raise awareness of these resources and the issue of protecting payment card
data.

The PCI community and large organizations that accept, store, or transmit payment card data worldwide have
made important strides in adopting globally consistent security protocols. However, the Council recognizes that
small organizations remain vulnerable. Smaller businesses lack IT staff and budgets to devote resources to
following or participating in the development of industry standards. But they can take simple steps like updating
passwords, firewalls, and ensuring they are configured to accept automatic security updates. Additionally, to
help this population, the Council promotes its listings of validated products, and recently launched a program,
the Qualified Integrator and Reseller program (QIR), to provide a pool of personnel able to help small
businesses ensure high quality and secure installation of their payment systems.

Page 5 of 6

The work of the Council covers the entire payment security environment with the goal of providing or facilitating
access to all the tools necessary—standards, products, assessors, educational resources , and training— for
stakeholders to successfully secure payment card data. We do this because we believe that no one technology
is a panacea and that effective security requires a multi-layered approach.


Public – private collaboration

The Council welcomes this hearing and the government’s attention on this critical issue. The recent
compromises underscore the importance constant vigilance in the face of threats to payment card data. We
are hopeful that this hearing will help raise awareness of the importance of a multi- layered approach to
payment card security.

There are very clear ways in which the government can help improve the payment data security environment.
For example, by championing stronger law enforcement efforts worldwide, particularly due to the global nature
of these threats, and by encouraging stiff penalties for crimes of this kind to act as a deterrent. There is much
public discussion about simplifying data breach notification laws and promoting information sharing between
public and private sector. These are all opportunities for the government to help tackle this challenge.

The Council is an active participant in government research in this area: we have provided resources,
expertise and ideas to NIST, DHS, and other government entities, and we remain ready and willing to do so.

Almost 20 years ago, through its passage of the Technology Transfer and Advancement Act of 1995,
Congress recognized that government should rely on the private sector to develop standards rather than to
develop them itself. The substantial benefits of the unique, U.S. “bottom up” standards development process
have been well recognized. They include the more rapid development and adoption of standards that are more
responsive to market needs, representing an enormous savings in time to government and in cost to
taxpayers.

The Council believes that the development of standards to protect payment card data is something the private
sector, and PCI specifically, is uniquely qualified to do. It is unlikely any government agency could duplicate
the expansive reach, expertise, and decisiveness of PCI. High profile events such as the recent breaches are
a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government
regulations. Any government standard in this area would likely be significantly less effective in addressing
current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI
Standards.


Conclusion

In 2011, the Ponemon Institute, a non-partisan research center dedicated to privacy, data protection, and
information security policy wrote, “The Payment Card Industry Data Security Standard (PCI DSS) continues to
be one of the most important regulations for all organizations that hold, process or exchange cardholder
information.”

While we are pleased to have earned accolades such as this, we cannot rest on our laurels.

The recent breaches at retailers underscore the complex nature of payment card security. A complex problem
cannot be solved by any single technology, standard, mandate, or regulation. It cannot be solved by a single
sector of society—business, standards -setting bodies, policymakers, and law enforcement— must work
together to protect the financial and privacy interests of consumers. Today, as this committee focuses on

Page 6 of 6

recent damaging data breaches, we know that there are criminals focusing on committing or inventing the next
threat.

There is no time to waste. The PCI Security Standards Council and business must commit to promoting
stronger security protections while Congress leads efforts to combat global cyber-crimes that threaten us all.

We thank the Committee for taking an important leadership role in seeking solutions to one of the largest
security concerns of our time.

# # #