Lost in the wave of shopping and payment innovation is just how remarkable the change has been--as little as 10 years ago, transaction options were pretty static and wristwatches were time-telling relics rather than futuristic vessels for shopping.
"We're in a renaissance where innovation is creating new forms of commerce in diverse ways," said Troy Leach, the chief technology officer of PCI, the card network operated security standards council that's marking its tenth year. In some ways it seems longer than that.
"There's a diversity of mobile and all kinds of digital offerings that were not around ten years ago, or even five years ago," said Leach.
With the rapid change, risk and controversy are never far behind, as the market absorbs new entrants that impact payment security and require input into the standards that define how account data should be protected on a watch or a glove, for example.
"There is a growing diversity of vendors that are participating in the transaction, so security should have as much of a transformation as the technology facilitating the payments," said Leach.
For the council, that transformation is as much about speed as it is the actual guidance. PCI has always issued guidance to address emerging payment types and changing security threats.
But in the new environment where vulnerabilities are faster and more numerous than the quaint days when crimes like card skimming were the big threat, the council is pushing a security regime that's more continuous than the scheduled audits and self-checks of the past.
"Service providers should demonstrate they are doing more frequent security tests and have a more rigorous process to demonstrate the standards are being applied not just for a PCI assessment but throughout the year," Leach said.
Part of the council's effort is encouraging constant checks to ensure data security. It's also working faster on its own updates.
PCI accelerated work on security requirements tied to mobile payments. In the past few months, PCI has issued specifications for tokenization, or the act of using a one-time replacement for account numbers to guard against theft. It has also addressed stronger multifactor authentication for digital transactions and the migration to stronger Web protocols to protect mobile and other online payments.
The number of token providers is expanding rapidly and EMVCo is issuing its own specifications to match tokens with account numbers, prompting the PCI Council to speed its own timetable.
"We want the new standards to have sustainability, and to provide a way for authentication to be more dynamic," Leach said. "A big movement in payments in general over the next ten years is toward more dynamic data and away from static data...we are looking at new ways to provide credentials in the mobile space and we're evaluating biometrics and other things that can help facilitate a secure transaction."
Beyond the move to wearables, social payments and contactless mobile payments, the trend to "future proof" terminals also brings in more organizations that need to monitor their own security, Leach said.
"The are more parties that are facilitating parts of transactions than there were in the past," he said. "And the move toward cloud delivery to update terminals is another change. In the past there was much more information managed internally by the merchant or the bank in house...there is a growing dependence on software delivery now."
The advancement of digital payments would be served by more cooperation on standards, according to Andy Schmidt, executive advisor at CEB.
"In the 10 years since PCI, the industry has seen a tremendous amount of change and disruption in the payments market," he said. "And much of it has happened over the last few years with topics like mobile, blockchain and real-time processing attracting a tremendous amount of attention. However, there has also been a great deal of friction during this time and some of this friction could have been avoided by better use of standards and collaboration."
The PCI Council has also faced controversy over its perceived power, most recently from the National Retail Federation, which is opposed to the council's enforcement structure. Leach would not comment on that conflict, though he said the council consults with retailers and the council's membership includes merchants.