Point-of-sale breaches are a huge worry for merchants, and for good reason. The exfiltration of card data from U.S. POS systems has become a frequent occurrence, and retailers are feeling increased pressure to shore up their network defenses and enhance their malware detection (see Senators Probes 2 Recent Breaches).

More than just networking - our Fraud Summits provide actionable plans to put to work at your organization. Register Today >

But merchants must guard against focusing too much attention on short-term threats and, instead, work toward long-term planning that includes strategies and technologies that can address future, and sometime unforeseen, threats.

That was the over-arching message at the North American PCI Community Meeting in Orlando, Fla., where incoming PCI Security Standards Council General Manager Stephen Orfei stressed the need for more global compliance and a focus on merchant security.

"We really need to have a risk-based dialogue versus a compliance-based approach," Orfei says during an interview with Information Security Media Group during the event Sept. 10. "My message to the marketplace right now is we are here to collaborate and truly be a merchant organization."

While Orfei envisions the council evolving into an organization that more strongly focuses on prescriptive guidance for malware mitigation, compliance with data security standards and ongoing security training, he warns that merchants and the payments industry have to be committed to long-range security planning.

Attacks against in-person point-of-sale transactions are a worry today. But tomorrow's attacks will likely be aimed more at e-commerce and mobile payments, Orfei stresses. That's why the industry has to start thinking ahead, he says.

The Compliance Challenge

Troy Leach, the council's chief technology officer notes that ongoing compliance with the PCI Data Security Standard has proved challenging for small and large merchants alike, because of the way they view security.

"Most organizations today are not measuring their PCI in scope," Leach said during a presentation about 12 critical requirements contained with the PCI-DSS that all merchants should be measuring. "Metrics determine the effectiveness of controls."

When it comes to ensuring ongoing PCI compliance, it's critical that organizations regularly track the effectiveness of the controls and technologies they put in place, Leach says. Without metrics, it's impossible for any business to evaluate the ongoing success a specific control or technology, he adds.

Over time, the effectiveness of controls decreases, Leach says. As businesses upgrade systems or modify networks, the controls they have in place must adjust accordingly. And all of those changes and modifications have to be measured, Leach says.

The Merchant's Role

That need for ongoing assessment and measurement is one most merchants fail to appreciate, says qualified security assessor Jacob Ansari.

"The very old, very basic kind of security flaws still remain - weak passwords, insecure remote access, lack of security patches, things like that that in some cases have been almost deliberately set up to make it easy for that reseller or that POS support person to do the maintenance," Ansari says. That's especially true of smaller merchants, he adds.

But larger merchants face unique challenges, too. They all face struggles with maintaining PCI compliance, Ansari says.

"Some of these retailers are getting compromised faster than we can detect the attacks," Ansari explains. "Ongoing PCI is a challenge. It's very, very complicated and has many situation-specific qualities to it. ... We have to work with these organizations and make them realize the risks and then help them find solutions that work."