Adam: What are the top PCI compliance challenges facing financial institutions?
Paolo: Understanding the scope and applicability of the PCI standards and how it applies to a particular organization is one of the most difficult undertakings for PCI compliance. Especially with large and complex organizations that interact with cardholder account data management processes and the organizations that support the security of these environments.
Another area would be vulnerability management. This is also a major challenge for financial institutions with large complex estates due to the myriad of different technologies used for operating systems, databases, applications, and other types of software used in those environments. This means that there are potentially thousands of different pieces of software requiring patching, security evaluation, and monitoring, which becomes a nightmare to manage. Many customers don’t understand the astronomical undertaking required for true vulnerability management.
Adam: How do you see cryptographic architecture evolving in financial services?
Paolo: Cryptographic architecture has not really adapted completely to serve a rapidly evolving technology world. Various global standards have also struggled to maintain pace with the emergence of new technologies and have slowed the evolution of cryptographic solutions much like a car trying to pull away with the handbrake up.
In the future, I see processes like paper-based, clear-text symmetric key component management being eradicated entirely replaced by simpler, more efficient practices like the use of public key cryptography in the sharing of keys and a more prominent role being played by cryptographic hardware such as HSMs in these processes. Interoperability will be a key factor here amongst cryptographic hardware vendors. This is an important step to future where cryptographic hardware and key management is something that can be performed completely remotely, securely, with equipment hosted in public and private clouds distributed around the globe. Securely, being the key part of that sentence.
Adam: What tools and learning resources do you recommend for companies new to the payments industry and PCI compliance?
Paolo: Naturally the best place for PCI-related resources would be the PCI Security Standards website which has a wealth of resources pertaining to all types of PCI programs and standards. Navigate to the document library, Newsroom, or FAQs pages from there. The card payment brands also provide resources and guidance for the businesses handling cardholder account data:
And of course, contacting a PCI Qualified Security Assessor company for assistance in this space is great to get guidance and assistance.
Adam: You’ve traveled worldwide to work with Foregenix’s global customers. Do you have a favorite story from your travels you’d like to share?
Paolo: I don’t have a favorite story necessarily, but rather everything about traveling and experiencing different people and culture is fantastic. Experiencing different perspectives and approaches to cybersecurity and the industry standards, in general, has been an incredible learning experience and has played a huge role in my personal development.
Besides the endless beautiful cloud formations through an airplane window and the incredible food experiences in most places I’ve traveled to, there are a few events that stand out. Whether it was auditing an environment located in a nuclear bunker in Finland, evacuating offices in Maputo after bombs starting exploding in a nearby ammunition dump, checking into a Montpellier hotel whilst the Miss France beauty pageant finalists were also checking in, being deported from Angola after uncovering a fraud syndicate — it has all been pretty exciting.
Adam: What payments industry trend are you most excited about?
Paolo: The contactless payments on smart devices (tablets, smart phones etc.) is a trend that I am particularly interested in as it is an important step toward making the payment process quick and easy, whilst introducing some serious challenges where cardholder account data security and cardholder authentication is concerned.
PCI standards like SPOC and CPOC aim at addressing some of the security issues around these areas, but there are quite a few limitations in what can and can’t be done in this space. The standards around EMV also play a role here in ensuring the integrity and authenticity of these types of payments whether they be made using a physical payment card or virtual payment card sitting on another smart device.
The possibilities in this space are really exciting and there are some excellent opportunities for the invention of new mechanisms to facilitate security of these payment processes, which is what makes it so exciting.