Business leaders discuss future security measures at Stanford summit

Financial services must take care of customers' data as if it were their own, industry experts say.

Businesses play an integral role in creating a secure online environment and also stand to benefit from innovations that protect transactions, according to government and business leaders who participated in a discussion on Internet security held today at Stanford University. The session was part of the White House Summit on Cybersecurity and Consumer Protection.

Maria Contreras-Sweet, administrator of the U.S. Small Business Administration (SBA), opened the session by announcing a new program to help small businesses adapt to security changes in payment systems that are set to be implemented Oct. 15.

“Business owners who fail to act by that date will be looking at the L-word, ‘liability,'” Contreras-Sweet said. Businesses will need to update their payment technology to accept so-called EMV credit cards, which contain a computer chip, or assume liability for fraud committed. “Our message is that they must take care of customers’ financial data as if it were their own,” she said. The SBA will be working to educate small businesses and provide support for the upgrades, she added.

This focus on retail transactions reflects the volume of those transactions, according to Sarah Bloom Raskin, deputy secretary in the U.S. Department of the Treasury, who said some estimates are that $4 trillion per day transfers though our country’s payment systems.

What’s more, those transactions can go through credit card, debit card, prepaid card, mobile phone, PayPal, Google Wallet, Apple Pay or other payment systems. “These permutations provide a variety of entry points for bad actors,” Raskin said. “The vulnerabilities for mischief are myriad.”

Dan Schulman, president and chief executive officer of PayPal, said there is only one way to completely stop financial fraud. “You do no transactions,” he sad. “But you have 160 million consumers and merchants counting on you, so that’s not possible.”

Shulman said that security measures can protect against many kinds of fraud, but with somewhere between 500 million and 5 billion identities compromised last year, many of the bad actors enter with real credentials. “Most people are good guys,” he said. “But you have bad actors, and you want to protect those who have been compromised by shutting down their accounts. It’s not just technology, but data and risk analytics that is one of our most powerful weapons.”

The panelists agreed that tokens, which are a short-lived entity that temporarily carries account information for a transaction, could reduce risk. “But let’s think to the future,” said Richard Davis, chairman and chief executive officer of US Bank. Beyond technology fixes for each transaction, he thinks financial services and government need to work more closely to monitor threats.

He described a successful collaboration that began between financial services to monitor cyber attacks, and later came to include the Treasury Department. “There is a really good outcome between financial services and the treasury,” he said.

The session took place a few hours after President Barack Obama signed an executive order creating a framework to create these kinds of private sector and government partnerships.

Stanford Law Professor George Triantis said bringing groups together is the only way to tackle security threats. Triantis is the chair of the steering committee for the Stanford Cyber Initiative, launched in November with a $15 million grant from the William and Flora Hewlett Foundation to bring faculty from across Stanford together around cyber issues. “As President Obama observed, Stanford has been the birthplace of innovation in computer technology,” he said. “Now with the Cyber Initiative, those same faculty can be part of the solutions to threats that arose from those technologies.”

With the growing recognition of cyber risks, some companies are beginning to use their security features as a competitive advantage. Michelle Zatlyn, co-founder of CloudFlare, said the company’s primary responsibility is providing a secure web environment for clients.

Zatlyn said a challenge for companies trying to increase security is finding qualified staff. Her company currently has to look internationally to fill open positions, but she encouraged Stanford students to pursue these careers. “Today, we have President Obama in California talking about the need for security at the national level,” she said. “That means the students on campus who came this morning might think that is a great field and will want to be part of making the Internet better.”