New PCI council leader ready to take on the hackers

Stephen W. Orfei is the incoming general manager of the PCI Security Standards Council. He succeeds the council's first general manager, Bob Russo, who will retire at the end of 2014. Here he speaks to ComputerworldUK'ssister title CSO about hackers, security challenges and efforts to overcome the backwardness of US payment card technologies.


Stephen W. Orfei is the incoming general manager of the PCI Security Standards Council. He succeeds the council's first general manager, Bob Russo, who will retire at the end of 2014.

Orfei has decades of experience in payment technology, including 13 years in telecom with MCI International as director of international business marketing, and14 years in payments with MasterCard Worldwide, the last three as senior vice president of emerging payments platform, advanced technology.

Last month, Orfei applauded President Obama's executive order requiring US federal agencies to adopt EMV (chip and PIN) technology for government payment cards and for point-of-sale terminals at government facilities.

In a statement, Orfei called EMV a "critical layer in any payment security strategy," but added that, "it is not by itself a silver bullet for data protection," since it does not stop malware or card-not-present attacks.

Orfei recently spoke with CSO about his goals for the council and about better security practices for the payment card industry.

CSO: In your view, what in your background and experience is the most important qualification for this post; and what drew you to PCI SSC?

Orfei: I was drawn to this position for one simple reason: The council is leading a critical fight we are taking on the hackers who have taken aim at our way of life and at our financial system. We are the good guys, fighting the good fight. I'm honored and humbled to lead this global cross-industry coalition in tackling the challenges of payment security.

My background and experience has had me on the front lines with merchants, technology companies and financial institutions. I am passionate about technology, payments and security, and I will be tireless in my efforts to fight this fight.

CSO: What are your short- and long-term goals while in this position?

Orfei: I have three: First, my vision for the council is to be a "Center of Excellence." We need to expand our focus on standards and become a trusted source for payment security matters. We'll provide subject matter expertise, best practices, security standards, vetted solutions, laboratory testing, training and education. We're moving in this direction with forthcoming studies on tokenization, mobile and cloud technologies that are crucial to the future of payment security.

Second, I would like to see us improve our collaboration across industries and sectors. No single organization can ensure payment security on its own. We need to work together with merchants, acquirers, financial institutions and law enforcement.

Third, I want to expand our geographic reach. Payment security is a global problem requiring global solutions. That's why I'm particularly excited about our upcoming meeting in Asia-Pacific, and we plan to have our first face-to-face meetings in the Middle East region next year.

CSO: Given that the holiday shopping season has also come to be known as "hacker season," what are the special/unusual risks confronting companies and shoppers?

Orfei: Make no mistake, hackers are hitting everything that's not nailed down, and they know that the holidays are a particularly vulnerable time for merchants. Not only does the increased number of payment transactions make retailers a high-value target for hackers, but also temporary staff changes and updates to systems that take place during this busy season can put businesses at increased risk. With these seasonal challenges against the backdrop of vulnerabilities and threats such as Shellshock and Backoff malware, it is more critical than ever for organizations to be vigilant.

Next section: Mitigating risk

"Recommended For You"

PCI Council agrees new payment application standard PCI security standard remains solid, chief says