PCI Council Adds European Partner to Fight FraudEuropean Card Payment Association Brings New Expertise, Perspective to Board
The PCI Security Standards Council envisions PCI-DSS as a single, globally-unified data security standard. Now that the European Card Payment Association is a strategic regional member of the council, that goal is significantly closer, says Jeremy King, the council's international director.
See Also: DevOps - Security's Big Opportunity
The PCI Council on March 22 formally announced its partnership with the ECPA, describing the pairing as "joining forces to protect against payment data theft around the world." What this means in practical terms is that the ECPA will now collaborate with the council's working groups and committees to help shape future versions of PCI-DSS, as well as to promote adoption of the standard to its members, in conformance with evolving European Union regulations.
"What we're getting is expertise in organizations that have been using chip technology for the last 10 years," King says in an exclusive interview with Information Security Media Group. "So we're getting good cryptographers; we're getting good people who understand how payments work, how chip cards work, how contactless cards work. And so that is a fantastic technical resource that is coming into the council."
ISMG's Tom Field caught up with King at the end of the PCI Council's executive board meeting in Paris on March 17. In the interview, excerpted below, King talks about how this new strategic partnership will fuel global acceptance of PCI standards.
"One of the key things we always go on about is that our standards are global," King says. "And people say, 'Where is this global input?' Here it is."
Also in this interview, King discusses:
- Fraud migration post-EMV in the U.S.;
- The evolving payments landscape;
- How the council will address security gaps at small-to-midsized merchants.
King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI-managed standards in European markets and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.
Significance of Partnership
TOM FIELD: The European Card Payment Association has now become a strategic regional member of the PCI Security Standards Council. What is the significance of this news?
JEREMY KING: This is a major achievement for both the council and for the ECPA. The ECPA is a relatively new organization made up of 13 European regional card associations. These are the local debit card issuers and schemes here in Europe, and essentially they've come together because within Europe we've got a lot of new European regulation that is coming through at the moment. We've also got the European Central Bank trying to simplify payments across the European payments area. So there was a need for all of the different European schemes to come together.
FIELD: How is this partnership going to help protect payment data?
KING: What we're getting actually is expertise in organizations that have been using chip technology for the last 10 years. So we're getting good cryptographers; we're getting good people who understand how payments work, how chip cards work, how contactless cards work. And so that is a fantastic technical resource that is coming into the council that isn't always readily available.
We also get their understanding of how the European field is playing and how the European regulation field is in coming into force. Also, we're then able to share our standards with each of these individual organizations. ... They can see that, yes, our standards are global. One of the key things we always go on about is our standards are global. And people say, "Where is this global input?" Here it is.
Assessing the Threat Landscape
FIELD: What are the payment security threats that give you the most concern?
KING: I think it is still in the card-not-present space. There are still too many organizations that don't realize - and this is something that we're trying to reiterate especially in the U.S., as they migrate to EMV - even within EMV transactions, the transaction is not encrypted. And so the key data elements around the expiry date and the cardholder name are in clear text. So although EMV is going to be a fantastic way to reduce face-to-face fraud, it's going to change the fraud pattern in the U.S.
We're trying to really make merchants and other organizations aware ... that the fraud is going to migrate to the card-not-present space. It's the biggest challenge, and everyone has to be aware of that, and everyone has to understand about securing data, but also even more so now it's about securing their organizations. It's understanding that the criminals can find one way into a network and then they're into your organization, and from there they can just find the data and steal it.
Getting Message to the Masses
FIELD: Do you find it's just the bigger organizations that are getting the message, or are you seeing the rank-and-file merchants starting to follow suit?
KING: The bigger organizations have been getting the message, and it was clear to us that we needed to work harder on the small merchant side. We've had a task force running for the last 18 months with the major task of "how can we simplify our information that we're providing to them?" Far too many times when I was talking to smaller merchants, they were just saying, "We don't understand how or what this language means. ..."
So we've been working on this, and hopefully by the end of May we are going to have some new guidance specifically for small merchants.
FIELD: Let's talk about the EMV migration in the U.S. What progress are you seeing?
KING: I think the good news is that now we're seeing definite big improvements on the figures in terms of merchants that are EMV-enabled. ... I know there is a lot of feeling like this isn't going quickly enough, but it is a lot of work. It is not so much we can't get the cards out - we can. But it's just making sure that every merchant is set up correctly.
The other exciting thing with the EMV migration is that it is a technology enabler. Over here, especially in the UK, contactless cards are really taking off in the last year or so. Now to have the EMV contactless card, you need the EMV terminals. To have Apple Pay and Samsung Pay and Google Pay working at their best, you need the EMV terminals.
Merchants should be ensuring the new terminals that they are putting in place are contactless-enabled. So we're going to go not only with the EMV, but we're also going to get the benefits of contactless cards or fast tap-and-go payments. We were discussing about where payments are going to go next. We're all into the wearables. Is it going to be on my watch? Is it on a Fitbit? Is it on a token? All of this needs the fast payment infrastructure to be in place, and this is what's coming.
Now ... the U.S. is going from a new position, they're getting all of the latest technology. So they're going to be at the very latest, most secure place. Some of our technology over here has been around for up to five, 10 years. So, if I'm an international criminal, I just look for which is the weakest security. Is the weakest security in the future going to be in the U.S.? Maybe not. Will it be easy to hack into an older system in the U.K.? Maybe so.