Credit cards might disappear from the face of the earth one day, but the security standards that protect them seem unlikely to suffer a similar fate.
Security experts and industry observers believe society will always need the Payment Card Industry data security standards, the principal safeguard businesses should put in place to accept payments cards. As long as merchants are moving cardholder data, they will need to take safety measures to secure it, experts say. And the ISOs who set up the merchant accounts will need to help shepherd the process.
But while the PCI standard itself might not go anywhere, the scope of PCI could change. EMV chip card acceptance promises a drastic reduction in fraud by encrypting cardholder data, and EMV might substantially lower a merchants PCI compliance costs as a result. So instead of having to meet 250 validation requirements, a merchant might only have 20, says Gary Glover, director of security assessment for SecurityMetrics Inc., a security vendor based in Orem, Utah.
EMV wont make PCI go away. Its a huge improvement, but it doesnt solve all the worlds problems, Glover says.
Glover has been part of the security industry since the infancy of the PCI standard. Having watched the standard change, he believes it is more likely to undergo a few tweaks than a full overhaul to keep up with technology.
I think its probably gone through the major portion of its evolution already, he suggests.
Mobile payments represent the next frontier for PCI, but technology is developing faster than the standards can keep up. In the meantime, security experts are urging merchants to take safety measures, such as using an attachment that encrypts cardholder data when its entered into a mobile device.
New tools such as EMV hold the potential to reduce the kinds of security breaches that magnetic stripe cards allow. But technology in and of itself wont eliminate fraud, says Bob Russo, general manager of the PCI Security Standards Council in Wakefield, Mass.
Russo compares fraudulent activity to squeezing a balloon. Pinch one side, and the other side gets bigger. The same goes for fraud in a world of evolving technology.
Fraud is not going to go away. Its just going to morph, Russo says.
Russo contends the payments industry shouldnt lose sight of the fact that it takes three elements to secure data: people, process and technology. Its not enough to rely on only one or two of those components, he says.
You cant go out and buy a piece of technology that is 100% foolproof, he says.
Russo believes security will entail pairing technology with PCI. He hails EMV as a highly effective fraud tool in a face-to-face situation, but he notes that online shopping calls for extra security safeguards, which is where PCI comes in.
EMV and PCI is a very powerful combination, Russo says.
Russo expects an uptick in fraud cases just before EMV becomes common because fraudsters will take advantage of opportunities before that door closes. Merchants have a deadline of October 2015 to accept EMV chip cards.
Jennifer Fischer, head of Americas Payment System Security for Visa Inc. predicts that the payments world of the future will consist of several layers of protection against hackers and criminals, and that PCI will remain a key component in the overall security strategy. EMV brings the opportunity to replace the static data presented by magnetic stripe cards with the dynamic, encrypted data that chip cards produce.
Counterfeiting is pretty much eliminated with EMV technology, because of that dynamic value, she says.
Fischer expects chip technology to play a significant role in the coming years, and that in and of itself will help reduce risk.
Some payments experts contend that PCI isnt a perfect standard, nor does it offer complete security.
One of the main challenges with PCI is that various types of businesses in differing industries are trying to comply with a single standard, says Charles Denyer, managing director of Atlanta-based NDB Accountants & Consultants, which specializes in PCI-compliance issues.
The biggest problem with PCI is its like fitting a square peg in a round hole, he says.
The other issue Denyer sees with PCI is the confusion still surrounding the who, what, when, where, why and how of compliance. He estimates that of the 15 billion merchants in the U.S., about half comply with PCI.
Its unbelievable how much misinformation and a lack of understanding is out there by merchants that need to be compliant, he says.