How Innovation is Changing Payment Security (and Standards)

In this interview from the 2018 North America Community Meeting, we sit down with Chief Technology Officer, Troy Leach, to address the changing payment landscape and how the PCI Security Standards Council is evolving to meet market needs.

How has PCI SSC evolved of the years?

Troy Leach:  When we started this organization in 2006, our primary goal was to address the industry ask to provide a consistent approach to appropriate cardholder data security via the Data Security Standard as well as the PIN-entry devices identified in the PIN Transaction Security (PTS) standards by aligning existing requirement from our founding companies.

What we could not have anticipated at the time was the significant change introduced with smart phones, cloud services and other technologies and how they would change the payment ecosystem.  As well as payment innovation, security technologies such as Token Service Providers and Point-to-Point Encryption, would create mechanisms to change the value of data and our approach to security.

Additionally, we quickly identified with our Participating Organizations the need for clarifications  to security best practices and additional guidance within standards.  That has evolved into a library of resources on payment security over time.  From there, we’ve also expanded the ability to train on payment security and extend our guidance to additional parties such as Integrators, Resellers, Software Developers, Cloud Service Providers, and beyond.

How has the changing threat landscape impacted the evolution of PCI Standards?

Troy Leach: The biggest changes over the past decade has been speed and accessibility.  With faster networks and cloud-based services, organizations can take advantage of more real-time authentication compared to the limitations of network cost and speed just 10 years ago.  Additionally, the introduction of smart technology, and specifically mobile devices have created so many new opportunities for merchants to reconsider how they accept payments and for small merchants, the ability to possibly consider taking payments for the very first time.

At the same time, it also increases the potential attack surface because criminals also have more opportunity for access to exploit the transaction.  As we embrace innovation, we also need to empower the solutions to leverage the security potential inherent with these types of environments rather than relying exclusively on previous security best practices.

Your presentation points to the evolution of the PCI Standards- how has it evolved and where is it going? More specifically, when can the industry expect the next update to the standard?

Troy Leach: Most importantly is the development of the standards with a more formalized feedback process that allows for greater transparency with many new and different feedback channels. This includes transparency for feedback we receive and insight into how each item was carefully considered. For example, our latest standard had more than 1,500 comments which took hundreds of hours to review and determine appropriate changes for. We’d like to share more visibility into the effort required to create and update our standards and programs.

We also want to have a more formal approach for each time we request feedback. This provides a consistent expectation for our 750+ Participating Organizations and Security Assessors that have the ability to provide comments.  This begins with advance and regular communication of when those opportunities will be coming and providing enough time to thoroughly review standards during a Request for Comment period and transparency to how we manage the valuable feedback we received.

How is PCI SSC simplifying security for smaller merchants?

Troy Leach: I’m very pleased with our latest offering for small merchants and the payment community.  Our industry-led Small Merchant Taskforce recently published updated guidance for Data Security Essentials and included a new tool- the Data Security Essentials Evaluation Tool– to help smaller organizations easily identify the type of environment they operate, commons risks to that specific environment, and ability to answer questions in a way that provides better gauge of the SMB’s understanding of potential threats and appropriate security readiness.

The P2PE Standard is another standard undergoing revisions this year- what can you say about the changes and how will it impact stakeholders?

Troy Leach: Returning to the topic of feedback, it was really at the request of our stakeholders that we re-evaluated what to do with the next release of the P2PE Standard.  Originally, we expected a minor release of the standard this year.  And even still, we do expect insignificant changes to the actual requirements during the next release. However, we received suggestions on how to improve the assessment of P2PE solutions and opportunities for entities that provide part of the solution, referred to as Component Providers, an ability to report differently during the evaluation. As such, we have changed our projected timing of the next release to update elements of the reporting and anticipate the next version released in the Q4 2019 to Q1 2020 timeframe. You can read more information about the updates to the P2PE Standards in my recent blog post.

Can you talk a little bit about why collaboration and industry feedback are vital to the Standards and protecting payment card data globally?

Troy Leach: The PCI Security Standards Council relies on the engagement of the community that are at the front lines- embracing new technology, leveraging new approaches to applying security and involved directly in the implementing the requirements. Feedback from the payment industry is critical to move payment security forward.  There are hundreds of companies all over the world that help collaborate on each standard or guidance paper we create.  We are truly grateful for the payment community that supports us and use this time to celebrate our work together but also ready ourselves to address the next generation of payment security issues.