New Year is a time to look to the future and take stock of the past. In the PCI DSS space, it's also time to evaluate the state of what is now a pretty mature security standard. Last year's Verizon Payment Security Report was particularly interesting in that it literally gave a ‘glass half full, glass half empty' view of PCI compliance among retailers.
While 50 percent of retailers satisfied auditors for their interim audit, the other half fell short. The report also notes that of the organisations breached, 80 percent of these were not compliant, an uncomfortable correlation for those still working on PCI security controls.
Why is it the case that so many retailers are still not able to meet PCI DSS compliance? What does the past, present, and future of PCI tell us, and will payment card fraud ever be beaten?
Back to PCI Past:
PCI DSS adoption was rarely done with the flick of a switch, and not just because of the expense. The scale and complexity of the applications in use, each covering multiple lines of business, presented a non-trivial problem. When it came to factoring PCI into a long-term Enterprise IT strategy, the timeline could easily run into years. Even the initial de-scoping - a tactic employed in any PCI project to minimise use of card data - took months to achieve within a major enterprise.
Today, de-scoping can now be absolute, at least for POS (Point Of Sale) systems. With P2PE (Point to Point Encryption), only encrypted cardholder data is used within the retailer's estate, removing store-systems from the scope of PCI. The benefits are clear but for many it may not be straightforward to implement, the main challenge being de-coupling the PED (Pin Entry Device) from the POS system.
In addition to implementation difficulties, the P2PE business model itself can be a significant obstacle. P2PE is typically positioned as a one-stop shop, with payment transactions also handled by the PED supplier. This makes sense on one level, providing a complete ‘soup to nuts' solution. However, it makes procurement significantly more complicated once the technology decision becomes entangled with a commercial one. Inevitably, this widens the gap between adoption and implementation.
Consequently P2PE may actually serve to hinder the PCI effort in the short-term. It's hard to argue for an interim project for PCI measures, for example, integrity monitoring and logging, when a long-term strategic solution is coming down the line.
Frustratingly though, just as PCI is being circumvented by P2PE, GDPR may drag us back again. With more personal information being handled in-store, for example via Loyalty Cards, this restores the need for security on POS systems.
But what about PCI Future?
With the proliferation of direct-mobile payment solutions, some are questioning the long-term future of PCI within retail. One vision for the new-generation of payment solutions is that they allow card data to be removed entirely from the retailer.
Today the PCI issue remains because, even though P2PE is effective at removing cardholder data from Store systems, other channels such as eCommerce and Call Center remain firmly within scope and increasingly responsible for card-data thefts, reportedly up to 70 percent of total card fraud.
These CNP (Card Not Present) transactions present a different challenge. No card renders Chip and PIN ineffective, so fraud prevention shifts onto more subtle detection mechanisms such as ‘payment velocity' checks (watching for unusual patterns in card transactions). As long as the opportunity for fraud persists, card cloning remains a criminally worthwhile venture.
The vision is that CNP transactions will be increasingly deflected onto other payment channels, completely bypassing the use of card numbers at the website/call centre. Instead of verbal or online entry of card details, payment requests will be made directly to the customer's mobile device, with settlements made using Apple Pay or Google Wallet.
More interesting is that mobile payment methods are becoming more popular in face-to-face, Card-Present transactions. This suits everyone – retailer, customer and card brand because everything is de-scoped for PCI. Cardholder details are held securely by the Service Provider with payment made via a one-time token, predominantly direct contactless payment from the device tapped onto the PED. The Customer and Merchant never see any card data on a daily basis, and the opportunity for card skimming and fraud is eliminated.
Shifting payment habits could take a generation or two to achieve but, for Retailers at least, it may yet see us able to move on from PCI compliance.
Contributed by Mark Kedgley CTO, NNT