As commerce gets increasingly global, the differences in payment security from country to country become more apparent.
To address this concern, the U.S.-based Payment Card Industry Security Standards Council and the European Card Payment Association on Tuesday announced the two groups would collaborate on future versions of the PCI Data Security Standard and push European payment companies to adopt PCI standards.
"Standards cannot be left to be competitive issues, and they can't be left to diverge across different constituencies," said David Stephenson, general secretary of the ECPA. "It's not only important to share information, but also have common standards throughout the world.
The ECPA's members have to comply with security regulators in their home countries as well as across the Eurozone, and these regulations are changing rapidly to address the increase in cybercrime and other risks, Stephenson said.
The ECPA's members have worked with the PCI Council in the past, and the association hopes to streamline its efforts by centralizing its work with the PCI Council, which will also better equip the ECPA and PCI members to engage with regulators.
Early work will include developing guidance for encryption and tokenization, as well as input into the EMV migration in the U.S., given ECPA's experience with chip cards.
The ECPA represents European domestic card schemes and organizations, participating with European financial institutions and other stakeholders on legislation, security, standards and other issues. It's members include Bancontact-MisterCash in Belgium, BankAxept in Norway, Cartes Bancaires in France, Consorzio BANCOMAT in Italy, EURO 6000, Sistema 4B and ServiRed in Spain, Dankort in Germany, SIBS Pagamentos in Portugal, the UK Cards Association, the Dutch Payments Association (NL) and the Pan-Nordic Card Association. PCI's network includes more than 700 organizations globally.
"Now the ECPA will have a seat at the table and participate in the evolution of the PCI standards," said Julie Conroy, research director at Aite Group. "PCI is not only the baseline for card security, but also represents a significant resource effort for anyone impacted by its requirements, so having a voice in the evolution is important for all players in the payments arena."
PCI has a lot on its plate as its members grapple with the impact that mobile and digital technology are having on payments security. At the same time, more e-commerce companies are relying on cross-border sales to grow their businesses, pressuring companies to improve security to protect transactions that involve parties in different jurisdictions.
Prevailing protocols that help protect e-commerce, such as the Secure Socket Layer, are vulnerable to evolving attacks, prompting PCI to push for an upgrade. The ECPA members have been consulted on the move from SSL to a newer version of Transport Security Layer, said Stephen Orfei, general manager of the PCI Council.
The PCI Council has already pushed back its target date for adopting the new Web protocol, since many merchants are already struggling to migrate to chip card technology. The PCI standard has also given merchants more flexibility to add encryption to protect digital transaction data, and is changing its development cycle to accommodate emerging security threats and the rapid deployment of tokenization and other security technology.
Orfei has made collaboration a top priority since joining the council more than a year ago, and has previously entered partnerships with the EMV Migration Forum and the Payment Security Task Force. "It's all about collaboration. Any unilateral action will disappoint," Orfei said.
The card brands have also increasingly cooperated on security, with UnionPay and Visa recently agreeing to work together in the same manner as UnionPay works with MasterCard and Discover.
"There is no question that collaboration is also essential in combating the rising tide of cybercrime," Conroy said. "[PCI/ECPA] is one forum, but there are also many other venues in which this collaboration is taking place."