PCI DSS is an abbreviation for Payment Card Industry Data Security Standards. PCI DSS has evolved into a very mature security standard within the last few years. In light of the rise in data breaches, the rules of the PCI DSS have been updated. The previous year, the Payment Security Report published by Verizon highlighted several important points regarding PCI compliance.
It has been observed that only 50% of retailers passed their interim audit. Furthermore, the report stated that around 80% of the total security breach victims were non-complaint of PCI DSS. This is an alarming correlation, especially for those who are working on the PCI security controls.
This situation raises very important questions. What does the future hold for Payment Card Industry Data Security Standards? Why are there so many in non-compliance of the requirements of PCI DSS? Will card payment fraud ever come to an end?
A Brief History of PCI DSS
Previously, adopting PCI DSS was a rare act, not only due to the cost associated with compliance, but the intricacy of the application was a serious problem. Long-term business planning could result in a timeline of several years. Only major enterprises were able to de-scope (minimize the use of card data) and, even then, it took them several months to complete the project.
Current Situation of PCI DSS
Nowadays, de-scoping has become absolutely essential, primarily for point-of-sale systems. The introduction of P2P (Point To Point) encryption allows only the data which is encrypted to be used, which removes the store systems from the umbrella of PCI.
These advantages are obvious, but it may not be very straightforward to implement. The most difficult part is de-coupling the PED (Pin Entry Device) from the Point-of-Sale system, especially. Adding to the problem is the business model of P2PE (Point To Point Encryption), which creates a very big hindrance. P2PE is usually the whole package and the PED provider handles the payment transactions. However, this makes the process of procurement significantly tougher and more complex. Therefore, P2PE may actually adversely impact the PCI.
On the other hand, GDPR (Genderal Data Protection Regulations) also pose a problem as the personal information of the customer is being handled in-store. This means that additional security is required on point-of-sales systems.
The Future of PCI
With the high rise in payment solutions using mobile phones, many industry experts are discussing the future of PCI, especially within retail, where it has the most extensive use. Due to these new payment solutions, the retailer may not need any card data at all.
The main issue of PCI is that P2PE may be an effective solution to minimize the need of storing cardholder data. Other mediums such as call centers and e-commerce are still within the scope and are responsible for data theft of card information. It has been reported that the majority of card fraudulent activities constitute from these channels, which is alarming.
Card cloning (a technique where someone obtains the credit card details, copies them to a duplicate card, and starts using it) also remains an illegally rewarding fraudulent technique. The increase of CNP transactions and the mechanism to prevent fraud has evolved into more delicate methods like checking the transaction velocity (analyzing the unusual transaction patterns), etc.
The future prediction is that CNP (Card Not Present) transactions will shift towards different payment channels, which will render the card number usage at the call center/website completely useless. Rather than getting the input of card information from the customer, the request for payment will be directly sent to the customer’s mobile device using Google Wallet or Apple Pay.
These payment methods using mobile phones are certainly the future of transactions and rightly so. This method of transaction suits everyone; customers, retailers and card companie,s as the entire method is out of the scope of PCI. The personal information of the cardholder is safe with the provider of the service due to the one-time generated token payment system.
Since there is no direct contact made in the process of the payment, the merchant does not get to see card data regularly and the probability of card fraud is minimized. The shift towards these new payment habits may take some time. Moreover, it will also affect processes like bookkeeping, internal controls, and security, which will need to be tailored to incorporate these new payment methods.
About Complete Controller® – America’s Bookkeeping Experts Complete Controller is the Nation’s Leader in virtual accounting, providing services to businesses and households alike. Utilizing Complete Controller’s technology, clients gain access to a cloud-hosted desktop where their entire team and tax accountant may access the QuickBooks file and critical financial documents in an efficient and secure environment. Complete Controller’s team of US based accounting professionals are certified QuickBooksTMProAdvisor’s providing bookkeeping and controller services including training, full or partial-service bookkeeping, cash-flow management, budgeting and forecasting, vendor and receivables management, process and controls advisement, and customized reporting. Offering flat rate pricing, Complete Controller is the most cost effective expert accounting solution for business, family office, trusts, and households of any size or complexity.