In this post, we get insights from Andrew Henwood CEO, Foregenix. He will present Local is Lekker: PCI Perspectives and State of the Nation at the Middle East and Africa Forum in Cape Town, South Africa on 29 March 2017.
What are unique challenges that the African region faces when it comes to payment security?
Andrew Henwood: Africa is very much a developing region and we’re seeing significant growth in all aspects of payments, due to explosion of connectivity options to the Internet. This explosive growth, as we’ve seen in more developed markets, often out-paces basic security defences and thus we’re seeing increases in compromises of sensitive payment data until public awareness of the risks are established and more main-stream.
Why is it important for organizations to view security as more than just an IT issue, but as a business priority?
Andrew Henwood: Security underpins the basic trust relationship between an organisation and their respective customers, whether they are consumers or other businesses. If this trust relationship is broken through a security incident, international research has demonstrated significant impact to an organisation through large efforts in responding, understanding, containing and remediating the effects of a breach. Security should form part of the “business as usual” approach of any business. It should form an intrinsic part of any and all initiatives and security must be baked-in to ensure current and evolving threats are mitigated. Without prioritising security, organisations run the risk of becoming another breach or compromise headline and contributing to the fast growing statistic.
Additionally, legislation is coming to bear in the EU and South Africa (namely Gramm-Leach-Bliley Act or GBLA & Protection of Personal Information or POPI) that will hold owners criminally liable for negligence around handling of personal information. This is imminent and will require and force security to become a business priority. It will no longer become an option.
What does it mean to become a PCI-P2PE solution?
Andrew Henwood: Becoming a PCI-listed P2PE solution means a business has implemented a solution which can be used by merchants to minimize applicable PCI DSS requirements for a typical merchant environment, providing full security to customer data from the payment terminal to the solution provider’s decryption environment. Becoming a PCI-listed P2PE solution also means the solution is actually listed on the PCI SSC website.
Validation of a P2PE solution means that a solution provider has demonstrated processes are in place to verify the chain of custody and security of all devices handling cardholder data and cryptographic keys, including card payment devices, key injection devices and encryption processing devices. Additionally, the keys used to encrypt cardholder data are created and managed such that no individual can ever access an encryption key thereby increasing the security and integrity of the solution protecting customer data.
How does implementing P2PE secure payments?
Andrew Henwood: Implementing a P2PE solution encrypts customer data at the payment terminal, typically using a key which is used for that transaction only, after which that key is discarded. The customer data is encrypted throughout its passage through merchant infrastructure, thereby minimizing the applicable PCI DSS requirements for the merchant environment. The card data is not decrypted until it reaches the solution providers decryption environment. If any malicious actor were to intercept traffic, they would only receive encrypted data. Moreover, if this individual cryptogram were compromised, no information would be disclosed which would allow the attacker to compromise other cryptograms created within the same solution.
Recent industry reports show that it takes on average 8 months to detect a breach. Why does it take so long and what can be done to shorten this time frame?
Andrew Henwood: We’ve been in payment security for over 15 years and it is evident from our Digital Forensics and Incident Response (DFIR) work that security is not being incorporated and considered as business essential. It is simply not being baked-in. This means that there are often little to no mechanisms, solutions or tools to detect a breach within an organisation, until typically a 3rd party notifies them of the fact.
What is the one key takeaway you hope attendees will come away with after your discussion?
Andrew Henwood: I truly hope my session will resonate with the audience in that we’re in this together, and can leverage off global expertise and bake-in security to all aspects of their business, without impeding innovation.
What are you most looking forward to at this year’s Middle East and Africa Forum?
Andrew Henwood: The Middle East forum is an opportunity to network and interact with in-region folks who are experiencing similar challenges surrounding payment security. It brings together industry exports but more importantly the ability to collaborate with your peers, which is invaluable. Additionally, personally, we’re very excited to welcome guests to the first PCI SSC event in Africa and showcase the hospitality of the mother city being Cape Town.
About Andrew Henwood:
Mr. Henwood is the CEO of Foregenix, a cyber security consultancy and solution provider. Foregenix is a PCI QSA, PA-QSA, P2PE and PFI certified company and provides assessment services and innovative, baked-in cyber security solutions globally.
Mr Henwood is a PCI security industry entrepreneur and is active in evangelising and recommending cyber security best practices through experience garnered from over 18 years of work in the field.
Mr Henwood has been involved within the payments industry since 2001, where he assisted in developing the first versions of the payment brand security standards in Europe. Mr Henwood is a frequent public speaker on cyber security topics.