Stuart spoke to Morgan Reed at NNT regarding the current state of the PCI DSS and what the future holds for one of the most widely-implemented cyber security standards.
“Thanks for taking the time to talk to us today Stuart. I wanted to begin by asking you what’s the current state of play with PCI DSS? I recently read the 2015 Verizon report on PCI Compliance which suggested that 80% of merchants overall do not meet PCI DSS requirements. There was also a study by the Merchant Acquirers Committee that showed more than 30% of Level 1 Merchants are not compliant. What’s your view of the current adoption of the PCI DSS?
My work over that last 10 years has been with a number of the UKs leading merchants, typically major retailers in the FTSE 500, and all of these organizations have always taken their responsibilities very seriously. Having said that, PCI DSS adoption isn’t ever done with the flick of a switch, due to the scale and complexity of the payments architectures in use, covering multiple lines of business and payment channels. Even the initial de-scoping – a tactic employed in any PCI programme – will take months to achieve within a major enterprise estate.
Speaking of de-scoping, we’ve seen increased adoption of P2PE (Point to Point Encryption). This looks to be a highly effective way to remove store POS systems from the scope of PCI but far from straightforward to implement?
No doubt about it, P2PE is a neat way of de-scoping store systems – cardholder data either never touches the merchant estate, or at least only in an encrypted form. The challenge for many has been in integrating a validated P2PE solution, with new PED (Pin Entry Device) hardware, with their existing POS systems.
I have heard an argument that the sheer magnitude of change needed to implement P2PE has actually hindered PCI compliance, given the fact that many retailers ceased the implementation of regular PCI security measures once their strategy was to adopt P2PE. As other countries, notably the USA, begin to embrace P2PE, what would your advice be?
Leaving aside the technical implementation challenges, the business model for P2PE is also a significant factor. P2PE has typically been positioned as a holistic solution, whereby face to face payment transactions are controlled by the payment service provider, who also supplies the PEDs as part of a validated end to end solution. This makes sense on one level as a store to acquirer payment transaction solution, but getting many P2PE projects mobilized is made significantly more complicated once the technology decision becomes entangled with the procurement/commercial decision. Inevitably this can delay adoption of P2PE and widen the gap to implementation, and it’s hard to argue for an interim project for PCI measures, such as FIM and logging, when a long term strategic solution is coming down the line.
Ironically, just as PCI DSS in the face to face payment channel is being simplified by P2PE, with many PCI DSS controls not required, GDPR is causing everyone to think again. Serious consideration needs to be given to the amount of personal information being handled in-store, and whether this puts us back to square one in terms of needing controls such as mandatory malware protection and integrity monitoring on POS and back office systems, so from a wider information security perspective, we may yet not be home and dry just yet, even though PCI DSS compliance may be achieved!
So while P2PE is effective at removing cardholder data from store systems, this still leaves other channels, such as eCommerce and Call Center transactions, still firmly within scope and not surprisingly, increasingly responsible for payment fraud (some estimate up to 70% of total fraud). What do you think is the future for these channels? Will direct-mobile payment solutions ultimately de-scope everything?
CNP (Card Not Present) transactions, like on-line and call center, produce a range of different challenges. Firstly, from a fraud prevention standpoint, Chip and PIN in the face to face payment channel, combined with P2PE, is obviously highly effective, so the fraud prevention shifts onto more subtle detection mechanisms such as payment velocity checking. While the opportunity for fraud persists, card cloning and cardholder data theft remains a criminally worthwhile venture, so you can see why the card brands would like a better solution for all CNP channels.
Looking at it another way, you can expect to see CNP transactions increasingly deflected in the future, bypassing the collection of payment at the website or call center. Instead of the verbal or online entry of card details, a request for payment will be made directly to the customer’s mobile device, with payment made using PayPal, GoogleWallet, ApplePay etc.
What is changing is that these mobile payment methods are becoming more popular in face to face, Card Present transactions. The payment card details are held securely by the service provider, with payment made via a one-time token (usually a QR Code on the phone or increasingly a direct contactless payment from the device tapped onto the PED). The Customer and Merchant never see any card data on a daily basis.
In this way the new generation of mobile payment methods could ultimately remove card data entirely, subject of course to consumer adoption across all demographics, and shift PCI DSS compliance wholly onto the payment service providers as the only entity to ever hold card data.
For more information go to www.newnettechnologies.com