November 22, 2016
by Andrew Jamieson, UL Innovation Group
If you are involved in any type of payments, you’ve probably heard of “PCI Requirements,” as published by the Payment Card Industry Security Standards Council (PCI SSC). UL along with acquisitions now under the UL banner have been working with the Payment Card Industry (PCI) since its inception – we were there when the first companies were accredited to perform PCI testing. Today our customers worldwide rely on us as a trusted source of information for these standards.
This year, 2016, has been a surprisingly busy year for PCI – a quick look over their site reveals the release of 76 unique documents! Even for people in the payment industry, it’s common to have a very specific understanding of what PCI SCC is and what they do. However, just like UL, PCI publishes different standards that cover the security of merchant locations, card issuers, mobile payment operators, and card accepting devices, just to name a few.
Many of the new documents released by PCI this year relate to new versions of the standards, but there are industry outreach and guidance documents as well, including guidance covering the security for small merchants. PCI SSC recently held their annual community meetings around the world, this year celebrating the 10th year of the formation of the PCI council. Because of this anniversary, there was much discussion about the future of the council and the future of the PCI standards themselves.
This is not surprising; as the world changes and moves toward global acceptance of EMV (chip cards), mobile payments, and universal use of encryption to protect card data, we must look at whether these standards remain relevant. In May 2016, I wrote that as the payment landscape changes, fraud is likely to migrate away from payments to other areas. Since then Ransomware attacks have increased over 400 percent.
So, are we approaching the end of payment fraud and, therefore, have no further need of the PCI standards? Yes and no. The change-over to EMV will take some time in the United States, with systems such as pay-at-pump terminals and ATMs likely to remain incompatible with EMV for some many years to come. This will maintain fraud—as in fraud at the “point of acceptance”—and we’re already seeing an increase in fraud schemes attacking banks directly. In addition, the security of the software for payment terminals increasingly is becoming a focus.
It can be expected therefore that the PCI standards won’t disappear, but instead will change and adapt with the shifts in fraud and technology. UL is participating in a number of these avenues, providing input on new standards, and insight into new areas of fraud based on our global experience in payment security. We’re also increasingly being asked to assist in how to create payment systems that are not only secure, but also meet our customers’ usability needs.
This combination of security and usability is vital, and is driving the most rapid changes in payment methods and technology that the market has ever seen. With this change comes both challenges and opportunities, and more than ever it’s vital to understand how these changes may affect your business.
So, don’t expect PCI to disappear just yet – but do expect that new standards will appear as other standards previously considered a major part of their portfolio become less relevant. And, of course, UL will remain a primary source of expertise for the industry throughout.
About the Author: Andrew has over 20 years of experience in working with payment systems and emerging technologies. He has worked with many different aspects of cryptographic and embedded systems security, and has authored a number of payments and security based patents, which have been granted around the world. As a Point Of Interaction testing Manager for UL’s Transaction Security division, Andrew is responsible for managing the payment device security evaluation work performed by UL globally, as well as personally performing PCI DSS audits, PCI PTS evaluations, and consulting to clients on payment systems security and compliance. Currently, Andrew heads to Innovation Group which looks at potential new technologies beyond the domains we are already familiar with. Andrew holds a Bachelor's degree in Electrical Engineering (with Honors) and a Master's degree in Applied Science (majoring in Information Security). For more information contact UL at [email protected].