On the Hot Seat: PCI Security Council's Stephen Orfei

Stephen Orfei

There are few matters more pressing to retailers than that of security. FierceRetailIT sat down with the PCI Security Standards Council's incoming Manager Stephen Orfei to discuss his plans for the group and what retailers should be focused on during the holiday season.

FierceRetailIT: You've just come on board, and I'm curious if you can tell me what your goals are for the council moving forward.

Stephen Orfei: I'm very interested in changing the dialogue in the marketplace from one of compliance to one of a prioritized approach, where security is the objective and compliance is a longer-term objective. I come from a product background, so I very much view the merchant as my customer, and I want to keep the merchant community front and center.

We're at an interesting point in time in that we have technology in point-to-point encryption and tokenization that can actually get us to the end game, and that end game is to devalue the data so that it is useless in the hands of criminals.

The focus needs to be on who the real enemy is, and that is organized crime and state-funded actors. I want to work very closely with the merchants to help them defend their businesses and the data that they process, transmit and store. [To] take the council to the next level and be that trusted authority, a center of excellence, so that the merchant community has a place to turn for anything and all things that involve payment security.

FierceRetailIT: We are entering what some people have been calling 'hacker season.' What are you expecting in the next couple of months, and what are some steps that retailers can take to defend themselves, both from malware and hackers?

Stephen Orfei: The term 'hacker season,' I've heard quite a bit and it is exactly that. We see the hacker community being very, very active and engaged at this point in time as a result of the number of transactions and data that's actually being processed. It is particularly important for the merchant community to be vigilant here and really pay close attention to monitoring their business, their files, and looking for any abnormal behavior because this is the time when you can expect that to occur. Our message is always [that] security is a layered approach, and it involves people, process and technology. So, you may have the technology in place to defend against hack and attack, but you really need to be vigilant, particularly in this holiday season.

FierceRetailIT: What kind of mistakes are retailers making when it comes to payment card security?

Stephen Orfei: As someone that's worked in cyber security for the past four years, I understand the challenges and I'm empathetic to the position the merchants are in. They [have] built a business and now they've got to take on a pretty sophisticated adversary. I think that there are a few things that would be worth focusing on. One is to have vigilance from top down in an organization, and get everybody on board that this is just not an IT problem. Everyone in the company has to build this into their DNA that security is 24/7.

You have to be vigilant. You have to really monitor and surveil your network and look for abnormalities. If you see large blocks of data being taken from your site and sent to an IP address in Russia, that's a real problem. So, I'm advocating right now that merchants really have a vigilant eye here. They made the investments in the systems and it's a layered approach. Again, it's people, it's process and it's technology. We've got to build that into their DNA.

FierceRetailIT: So many of the breaches we've seen are because of malware. Why is this, and what role do the standards play? Are they working? Are they not? What more needs to be done?

Stephen Orfei: Actually, I think the standards provide exceptional guidance and are the best standards out there around payment security. Malware is an attack that, believe it or not, is over 10 years old. It's really not all that sophisticated and if you do proper monitoring and you apply the rigor that is required, you can identify it. And if you secure your perimeter, if you look at your back office, if you monitor your logs, all of which, by the way, are addressed in the standards, you can defend against malware. It's really not a sophisticated attack.

FierceRetailIT: As the council turns its attention to third party providers and defending against those kinds of breaches, what is it that retailers really should be looking for?

Stephen Orfei: Third party security assurance really provides very good guidance and [was] developed by many merchants in our special interest groups. These remote access attacks are very often simple password types of attack vectors that are occurring. I think you really have to look at your business partner, and hopefully they're a trusted partner. You've got to look at their process and be concerned with their security practices. You have to impose your requirements on them, because you're relying on them to perform certain functions. They have access to your data, they're a critical business partner, and we're all in this together. We have to take this on in a comprehensive manner.

FierceRetailIT: We're very aware of what large corporations have suffered at the hands of cyber criminals. What about the smaller to mid-size retailers? Are there special sets of considerations that they need to take into account?

Stephen Orfei: It's really the fundamentals. I think a lot of that is some of the guidance we put out around passwords, about being aware and then monitoring your systems. If there's one message there, it's simply to monitor your network and keep up with your patches, your software patches, and be vigilant and looking around and seeing what's going on in your network.

FierceRetailIT: Will EMV really make things more secure, and what types of breaches will they prevent?

Stephen Orfei: EMV will absolutely deliver on its promise, and that is it will button down the point of sale. It does an exceptional job of securing the point of sale in the physical world. I would caution you, though, that it is not a silver bullet. It does not secure the card not-present environment. It is a critical layer of security, one that we will all benefit from, but it is just one of many layers that's required to protect the payment data.

As General Manager Mr. Orfei leads the PCI Security Standards Council in its mission to increase payment data security globally through development and delivery of standards, solutions and services for merchants, banks and other key stakeholders involved in the global payment card transaction process. Holder of several payments industry patents and awards, Orfei's career spans senior posts at an international telecommunications corporation, security assessment companies, a global payment card brand and military service.