The PCI council is racing to keep up with technology, particularly in the rapidly-developing mobile payment space.
Speaking to SC Magazine, Jeremy King, European director of the PCI Security Standards Council (PCI SSC) said that it was ‘surprised at how fast new technologies were coming along', especially as e-commerce was being offered via banking, payments and transactions apps via mobile devices.
Ahead of its European Community Meeting event next week, King said the challenge for merchants is that they want to offer the best user experience for their customers and allow people to use their iPhones and iPads to do payments.
He said: “We've had a taskforce running on this and we have a long history of locking down. Mobile technology is still new and there is no knowledge of how to do mobile security. You can search on Google for ‘Android' and ‘malware' to make users aware of the security challenges that need to be addressed, but you cannot stop mobile payments, you need to know the challenges and risks.”
King also commented that there is the Payment Application Data Security Standard (PA-DSS), for secure applications, but that is not providing guidance for mobile applications yet, as the industry does not know how to secure it. “There is still work in progress,” he said.
Analyst Alan Goode, said that he understood the challenge and agreed that it is not just about payments, but it was an equal regulatory challenge for authentication and data protection.
He said: “It is difficult to regulate and ensure that data is protected. Technology is moving in line with what the regulator is doing, but it is disruptive as new payment providers emerge like Square and Google Wallet and you would imagine Apple will enter the space in the next couple of years. There are a lot of requirements as to how secure they are.
“The onus is on the card issuer and financial services company to get it right and the desire on handlers for mobile to get it right and get the security right. With mobile you can do it right providing that the data is protected and assured. There is an opportunity for banks to get it right and convenient.”