PCI's Russo Stepping DownWhy Some Experts Say Change Could Be Good for Council
Bob Russo, long-time general manager of the Payment Card Industry Security Standards Council, will retire at the end of the year.
His replacement, Stephen Orfei, is slated to take the helm in September, when the PCI Council will host its North American Community Meeting in Orlando.
Orfei, vice president of strategic relationships for PCI compliance and forensics consultancy Arsenal Security Group, was hired after a more than nine-month search conducted by an international recruiting firm, according to a statement posted on the PCI website. Hundreds of candidates with backgrounds in banking, retail and association work were reviewed for the position, the council says.
Some security experts say the change could be a good thing for the PCI Council's image, but Orfei will have his work cut out for him.
"It was time for a change at the PCI Council," says Gartner analyst Avivah Litan. "Bob did a good job launching the council and seeing it through its formative years. But it's apparent that some major overhauls are needed to the processes around PCI, and perhaps to the standards themselves, since the status quo has failed to stop the major breaches."
In recent months, questions have been raised about why compliance with the PCI Data Security Standard did not play a role in preventing several cardholder data breaches at major retailers. But during a recent interview, Russo said ensuring end-to-end security at the point-of-sale requires more than just PCI compliance (see P.F. Chang's Breach: Link to Target?).
"Compliance does not equal security," Russo said. "Even with the best standards in place, these criminals are persistent in their attacks ... and businesses basically have to be defensive in their protections."
Russo could not be reached for further comment regarding the hiring of Orfei. But Lib DeVeyra, chairman of the PCI Council and vice president of emerging technologies for payment card management provider JCB International Credit Card Co. Ltd., says Orfei's hands-on management experience and expertise will be an asset to the council.
"Steve represents an exciting move forward for the council as we focus on delivering standards, solutions and services to secure the future of payments," DeVeyra says. "We look forward to his start and the opportunity for PCI participating organizations and assessors to meet him at our annual Community Meeting in September."
As new payment technologies evolve, having Orfei's leadership will be critical, DeVeyra says. "Steve's background in innovative technology, product development and management, and partnership building means he is strongly positioned to lead us into this future."
PCI: Moving Forward
Even with change in leadership, the PCI Council can only control so much, Litan adds. Real change must come from the card brands, she says. "They should consider mandating tokenization and end-to-end encryption from merchants to issuers," Litan says. "It will take seven years, at least, for EMV to roll out, so interim measures for card present and card-not-present commerce are needed."
Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, says Orfei needs to focus his attention on making the PCI-DSS relevant in today's threat landscape. "The new guy has a lot of work to do," he says. "The threat environment has changed much faster than the standard has - as always happens with standards."
But Al Pascual, a fraud and security analyst at consultancy Javelin Strategy & Research, says the role of PCI, not necessarily the standard, is in need of change.
"Some would deride PCI for the pace at which it has responded to payment technology innovation and threats, yet they managed to be far more nimble as a private organization than any similar government entity has managed," he says. "That being said, where we are today is remarkably different than where we were in 2004, and it looks like Stephen Orfei has the experience necessary to succeed in an environment where all of PCI's stakeholders and relying parties are under attack by technically sophisticated and determined adversaries."
Orfei joined MasterCard in 1996, according to his LinkedIn profile, where he held a number of positions, including group head of emerging payment platforms. Orfei joined Arsenal Security in January 2011.
His background includes work within international telecommunications and military service, according to the PCI Council. He also holds several industry patents and awards.
"Orfei brings to the council a strong background in payment technology and innovation," the council notes. "He has a proven track record of driving complex projects through to completion. With frontline experience defending targets from cyber-attack, Orfei understands the perspectives of many PCI SSC stakeholders."