As AT&T’s PCI Practice Director, Steve Levinson, is charged with keeping companies, and the customers they serve, safe and secure when it comes to credit card transactions. It’s his job, says Levinson, “To help companies properly protect cardholder data so the bad guys don’t get it.”
Issues facing the PCI, or “Payment Card Industry,” are complicated, and the landscape continues to evolve rapidly. The proliferation of smartphones and smart mobile devices has been accompanied by a huge increase in their usage to pay for goods and services. As the industry tries to work mobile devices into the mix, Levinson predicts the PCI Security Standards Council, or PCI SSC, will wait a while before establishing a standard pertaining to the use of such devices for credit card transactions. “A lot of things need to happen to establish a secure baseline first,” he explains.
In the meantime, the industry continues to work to protect customer information. Unfortunately, there are many scenarios where a company can be PCI compliant without being fully secure: some QSAs who do not perform thorough assessments, some companies are not aware of all of their cardholder data flows/repositories, sometimes companies implement technologies/applications without considering how they may impact their security posture. Ultimately “the burden is on the merchant/service provider to secure that information.”
Levinson is keeping a close eye on mobile computing. “There haven’t been any big breaches,” he admits, “but the moment it happens the whole industry will be turned on its side.” He’s also busy consulting companies on how best to implement and comply with the new version of the PCI Data Security Standard (2.0). As Levinson and his cohorts help customers develop and implement strategies, Levinson foresees a world where tokenization and end-to-end encryption will negate or minimize the need for companies to house cardholder data, a scenario that may ultimately marginalize the need for PCI QSAs.
Levinson grew up in New York and spent a significant amount of time in Atlanta where he graduated from Georgia Tech and the Emory Business School before he and his family moved to San Diego, CA almost two decades ago. When he’s not working to keep cardholder information safe, he likes to surf, ski, snowboard, cycle, and spend time with the family. He strongly encourages you to stay in the loop on all things PCI via this blog and by subscribing to AT&T’s official PCI newsletter.