In his presentation at the 2019 PCI Community Meeting this week in Dublin, Chief Technology Officer Troy Leach reflected on the changes in payments over our history that has influenced upcoming standards such as DSS v4.0, Software Security Framework and the PCI SSC’s new engagement model.
In your presentation at the PCI SSC Europe Community Meeting you talk about the evolution of payments since the Council’s inception 13 years ago. Can you talk more about that?
Troy Leach: Quite a bit has changed since we came together in 2006. Technical advancements have enabled a breadth of new payment opportunities to be introduced to market at speeds significantly faster than prior generations. Smartphones were yet to be introduced, global internet speeds limited the capabilities of cloud services and applications were much more static with less reliance on third-parties.
At the same time, today we also have new security approaches to address these changes. Broad adoption of point-to-point encryption, use of proxy accounts such as payment tokens and newer proactive controls to address the more complex environments.
How is the Council evolving to address the rapid evolution in payments and technology?
Troy Leach: In his keynote presentation at the 2019 PCI SSC Community Meeting in Vancouver, Executive Director Lance Johnson introduced the Strategic Framework that is guiding PCI SSC activities to achieve its mission and support the needs of the global payments industry. This framework reinforces the mission we have had since day one- to enhance global payment account data security and identifies how the scope of PCI SSC activities has evolved to support the changing needs of the payments industry. The Council is continuing to evolve its standards, programs and resources to help the marketplace keep pace with payment innovation in a secure manner. These standards and programs support and enable safe commerce and the flexibility to use different approaches to meet those standards.
The critical first step in the evolution of our standards is the collaboration with all relevant payment stakeholders. Engaging payment industry stakeholder is imperative to ensuring that our standards and resources reflect and address industry needs and challenges. The recent commitment to update our Request for Comments (RFC) process and develop more channels for discussing payment security issues will ensure that all perspectives and emerging technology will be considered when developing next-gen security requirements.
PCI DSS v4.0 is currently in development and a key topic of discussion this week. How is the Council’s focus on evolving security standards and validation shaping this next revision?
Troy Leach: A common goal remains to establish security baselines that are realistically achievable with enough guidance and clarity that the intent is globally understood. In addition to expanding on the requirements to address newer security risks, with PCI DSS v4.0 there is a concerted effort to include intention statements to understand how best to validate the security relevant to the shifting payment landscape.
For the first time ever, we are sharing an early draft of the standard to solicit feedback from our global stakeholders. I’d like to invite Council stakeholders to review and provide feedback on a working draft of the next version of PCI DSS v4.0 in a RFC period scheduled to start at the end of October.
Contactless payments are an important issue here in Europe. Can you talk about the Council’s new contactless initiative as part of its focus on providing standards for emerging payment channels?
Troy Leach: PCI SSC has supported contactless for several years within our standards for payment hardware. In December, PCI SSC plans to publish a new standard for solutions that enable “tap and go” transactions on merchant smartphones and other commercial-off-the shelf (COTS) mobile devices. This Contactless Payments on COTS (CPoC™) Standard increases the diversity of payment acceptance that PCI SSC develops a security framework for.
You mentioned in your presentation that your role is shifting from one that is focused on Standards, to one more focused on engaging with the PCI SSC stakeholders. Can you talk more about this change and what it will mean to Council stakeholders?
Troy Leach: Returning to the Strategic Framework that we discussed early, a critical aspect is collecting intelligence from industry practitioners and other security subject-matter experts to improve the breadth and comprehensiveness of our standards and programs. At the same time, we need to continue to challenge ourselves to expand how we communicate and support educational opportunities for payment security to be adopted. To achieve this, PCI SSC recently re-organized and established a group titled, Stakeholder Engagement, which I’ll have the privilege to lead. Within our team, we hope to be a centralized hub for intelligence in and out of the PCI SSC.
What are some of the key ways the Council is working to increase industry involvement and knowledge?
Troy Leach: In order to be effective, our standards and programs must reflect and address industry needs and challenges. To do that, the Council prioritizes increasing global industry participation in several ways. This past year we formalized our RFC process to provide more transparency and consistency into the process. These changes reflect the Council’s goal to increase industry participation in our RFC process.
The Special Interest Group (SIG) Program is another way the industry can contribute their expertise to the global payments industry. SIGs develop resources that can help the payments industry and are driven by the community. The SIG topic for 2019, PCI DSS for Large Organizations, will be published in December, while the election to select the SIG topic for 2020 will commence shortly. We invite Participating Organizations to vote in the election, which runs from 11 November to 25 November. Information on how to participate in the selected SIG can be found on our SIG webpage.
There’s certainly a lot going on at the Council- what is the best way for stakeholders to stay informed on the latest news from the Council?
Troy Leach: I’m glad you asked. I encourage stakeholders to subscribe to our blog where the Council regularly provides updates and resources on our standards and programs alongside case studies and insights from industry experts. Additionally, if you are a Participating Organization (PO), you should be receiving the PCI Monitor. This is a weekly snapshot of news and events from the Council sent to your inbox. If you are a PO and are not receiving the PCI Monitor, please email firstname.lastname@example.org. Our social channels are another great way to stay in the know of Council news- follow us on twitter and LinkedIn.