If the EMV chip-card migration in the U.S. taught the payments industry anything, it's that some players meet compliance deadlines, while others let them slip by.
But data breaches are scary enough to spur companies that use web-based platforms or handle payment card data to pursue new Payment Card Industry security updates well before compliance deadlines in 2018.
"We are having really good discussions with new customers or those who have our products near the end of the product life cycle, and they want the latest and most secure protocol standards now," said Ben Rafferty, global solutions director for Semafone.
London-based Semafone provides security for contact centers, which are businesses that accept payments or provide customer service through various Web-based chat rooms, digital messaging exchanges or Skype.
The PCI council in 2015 began warning merchants and organizations about the security vulnerability in the Secure Socket Layer protocol and early versions of Transport Layer Security. Both operate as a protocol between a server and client on the Web. SSL was coming under extensive malware attacks, triggering the PCI warning in which it pushed a TLS version 1.1 encryption protocol or higher.
After getting feedback from PCI members, the council extended the compliance deadline two years to June 2018 to convert to a more secure version of TLS. The initial deadline of June 2016 included the PCI-Data Security Standard 3.1 version, but the council considered the extension to assure that 3.2, released this month, was included.
Despite the extension, Semafone has upgraded its software to fast-track a migration to the new TLS standard, to remove the vulnerable SSL or TLS protocols at companies using Web-based tools to accept payments or handle customer interaction.
Contact centers, essentially a high-tech version of a traditional call center, have endured breaches in the past because in some cases consumers read back card data or deliver it via messages to customer agents, providing an opportunity for data theft, Rafferty said.
Semafone's cloud-based system enables the consumer to enter a payment card number into a phone keypad, remove the audio tones and replace the data with a one-time or recurring payment token that is delivered to a customer relationship management database.
For some businesses, making the conversion to an upgraded TLS can be "an overnight change" that essentially is a re-certification process, Rafferty said.
"For others using legacy systems, we can sometimes end up in a discussion about infrastructure and architecture changes, but ultimately we end up with a better security system and one that complies with PCI," Rafferty added.
Even in the best of circumstances, the security industry has found retailers and service providers who are educated about, and aware of, compliance deadlines and security threats and others that are not well-versed and tend to procrastinate well past deadlines.
"We’ll have the early movers, who will be motivated more by the potential exposure to security threats than the compliance mandate," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "We haven’t seen many attacks that are capitalizing on the SSL gaps yet, but 'yet' is likely the key word."
But a substantial number of merchants will continue to drag their feet, Conroy added, and wait until the compliance deadline and beyond before transitioning their environment.
"They view the change as a requirement obligation as opposed to a task necessary to maintain a secure payment environment," Conroy said.
Rafferty contends the PCI council has provided the industry an excellent service in its warning about encryption protocols, and extending the compliance deadline.
"They made a plan based on feedback and realized there is a very large variation of customer technologies out there," Rafferty said. "There is no way for many to move from an old system to a new system just to adjust to these protocols, so there are other controls that can be put in place in the meantime to make sure the credibility of the standard is still there."
If PCI had stuck with the June 2016 compliance deadline, it would have resulted in many merchants and businesses rushing through the process and not being up to standard, Rafferty added.
In the meantime, PCI has developed a standards framework that allows for more immediate updates as needed, a significant change from its previous three-year cycle for new standards."It is actually more pragmatic and allows for change and probabilities in the marketplace," Rafferty said. "Vulnerabilities can occur in massive amounts, and the framework allows you to respond appropriately to those."
It allows merchants to "do the right things at the right times" to address vulnerabilities and keep networks secure, he added.
Moving forward, it is critical that businesses handling payment data incorporate their security measures into budgets when preparing to launch new technology.
“We are approached regularly by new prospects either after they have been breached or when they are just about to introduce a new technology, and they ask us how to protect it,” said Rafferty, whose company serves about 60 clients.
“We tell them you can’t just wrap a ribbon around it and ta-da, it’s secure,” Rafferty said. “Deciding you have money left in the budget for security after the fact is not how this should work. You really have to have security at the ground floor of planning and on up.”