Neira Jones, Barclaycard: "The internet does not wait for your CEO to respond"

Barclaycard Payment Acceptance is one of Europe’s largest acquirers and processors of card transactions, with over 45 years’ experience and more than 105,000 retailer and business relationships. Barclaycard Payment Acceptance enables credit, debit and charge card acceptance in companies ranging from small shops to multinational businesses; online, telephone, and mail order payments are supported on a local and international basis throughout Europe.

Barclaycard Payment Acceptance also offers secure online solutions via Barclaycard SmartPay. Barclaycard SmartPay makes the complex simple by delivering next generation secure and flexible processing across multinational and domestic markets. It also gives you complete control over your payment page, with custom design multilingual pages allowing you to accept local payment methods, all securely hosted.

The Paypers sat down with Neira Jones, Head of Payment Security at Barclaycard, the keynote speaker at the upcoming MRC Europe Platinum Meeting, to be held in Rome (September 12 - September 14, 2012). In 2011, Neira Jones was inducted to the Infosecurity Europe Hall of Fame and in April 2012 at SC Magazine Awards 2012 Europe she was awarded Information Security Person of the Year. The Barclaycard Payment Security team which she heads has twice been awarded the Information Security Team of the Year award from SC Magazine the first time in 2011 and again in 2012. Past awards include the 2010 European Card Acquiring Forum (ECAF) award for Data Security (PCI DSS) and in October 2010, Neira was voted one of the top 10 most influential people in infosec in the UK by SC Magazine and ISC2. In addition, Neira has been on the PCI Security Standards Council Board of Advisors since 2009 and has over twenty years experience in financial services working among the best known and respected names in the financial services sector.

What are the key points that you will be discussing at the upcoming MRC Europe Platinum Meeting to be held in Rome (September 12 - September 14, 2012)?

Neira Jones: I’ll be focussing on the social media side of incident response, so, for everyone who wasn’t impressed with LinkedIns social media crisis response after more than 6 million user passwords were leaked on 6th June, then this session should be of interest!

When addressing incident response and the importance of communicating with the media in a timely manner, too many companies forget about the impact of social media. Whilst the draft NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, there are undeniable benefits in exploring the use of social media when tackling incident response.

After all, weve all seen how quickly news can spread on Twitter... So, should you be breached, you would no doubt have a crisis communication process already in place, but is it effective and ready for the digital age...? You need to be prepared: after all, the internet does not wait for your CEO to respond, the news will spread with or without your involvement.

How do you define the concept of “incident response” and how does this approach help improve organizations response to security issues?

Neira Jones: The concept of incidence response focuses on how to establish suitable means of communication for deployment both internally and externally should a breach occur which is fit for today’s digital age. Alongside appropriate preventative measures to protect organisations from an incident occurring in the first place! This approach means that organisations can be prepared and minimise impact to their brand by effectively managing incidents in a timely and efficient manner and maybe even being able to turn a crisis into an advantage for the organisation.

Social media offers important business advantages to companies and organizations, but also has well-known security risks. In your opinion, what are the main security threats posed by social media and how can they be addressed?

Neira Jones: The main risks of social media are privacy violations, corporate reputation damage and loss of competitive advantage as employees use personal accounts to communicate work related information or users of social media are easily linked to employees via photographs or tenacious connections. Furthermore when employees use company supplied mobile devices to access social media sites there can be the additional risks of infection of these devices, data leakage, data theft and potential bypassing of enterprise controls. The excessive use of social media in the workplace also presents the risk of not only loss of productivity but also the increased risk of exposure to malware and viruses and network utilisation issues as infrastructure is overloaded.

These threats can all be addressed with the creation of social media policies which form an intrinsic part of existing corporate governance. These guidelines will set the ground rules and make employees aware of the risks of social communications. They should also include details of the ramifications of policy violation and not just be restricted to employees but also include guidelines for communications with partners and other endorsers in relation to acceptable disclosure within the risk framework.

Your role as a Barclaycard security expert gives you a great deal of insight into the main issues facing retailers. Could you mention some of these issues and how can they be prevented?

Neira Jones: Alongside social media and incident response, the complexity and rapid development of new channels presents a real risk today as retailers embrace new technologies with security taking a back seat. IT and Security budgets are out of alignment. The speed of development presents a real risk as the full extent of risk for the new channels and new technology is not yet known. Resource needs to be balanced between IT development and Security so security projects are not delayed unnecessarily.

Out of date authentication procedures also present a great risk, with many retailers still using static user name and passwords despite security breaches becoming a statistical certainty. Retailers need to secure access to their websites with more intelligent authentication and protect their brand.

What support does Barclaycard provide to address payment security issues?

Neira Jones: Barclaycard’s award winning Payment Security Team ensures that the compliance requirements of our merchants are fully understood and met according to the PCI Data Security Standard. We also provide assistance, education and advice to merchants helping them to mitigate the risks of fraud and the associated costs and penalties.

Barclaycard has a range of relationships with third parties such as Qualified Security Assessors, Payment Service Providers, Internet Security Specialists and solution specialists that enable us to offer additional support to merchants. We also work with a range of fraud partners to address security issues relating to authentication and protection of customer facing websites and the overall company brand.

Barclaycard continues to be seen as a thought leader in the industry, which is typified by the recent launch of the Barclaycard Risk Reduction Programme (BRRP). This was created in response to our customers’ needs and provides our merchants with the ability to work towards or maintain their PCI DSS compliance by reducing prioritised risk over time. This can help to decrease the cost of our merchants’ compliance programmes by enabling closer integration between their PCI DSS compliance and wider information governance requirements. Last but not least, we have a dedicated website to help with all your payment security needs located at www.barclaycard.co.uk/pcidss, and a range of leaflets and white papers that can be down loaded direct from the site.

In your point of view, does compliance equal security? Does a security-centric approach have the same goals as a compliance-centric one?

Neira Jones: No, compliance does not equal security. A compliance centric approach just provides a tick in the box as at a certain point in time – this will not identify and mitigate the biggest risks. Whereas a security centric approach means you can have more of a parallel approach aligning security to business model growth and fix the basics first so biggest risks are mitigated first. A security centric approach usually means that compliance follows naturally once greatest risks have been identified and reduced.

Alternative payments and the rapid increase of nonbank players in the retail payments environment have revolutionized the payments system. Have such changes brought about new challenges from a fraud-and-security perspective? Or, on the contrary, could new players provide new tools to make the payments environment safer?

Neira Jones: New payment channels have resulted in additional risks especially where businesses have been driven by consumers. Often security lags behind the consumer demand for the latest app or new payment method.

What are you hoping to see/hear at the MRC Europe Platinum Meeting in September?

Neira Jones: Consortium level buy in to the reality of risks to their business and how they can align these risks with their business objectives and priorities. I want to hear how members of the MRC will demonstrate leadership by acknowledging their risks, selecting the right partners to help mitigate these risks and above all how they will ensure they can be prepared!