At the Europe Community Meeting in London this week International Director for Europe, Jeremy King, shares insights into top payment security issues in the region and the importance of global collaboration to safe payments.
What are some of the top payment security challenges you see in Europe today?
Jeremy King: Europe like many other parts of the world faces the twin challenges of on the one hand fighting cardholder data crime, especially in the e-commerce space with card not present (CNP) fraud, and on the other introducing new frictionless payment technologies. These challenges are especially difficult for small merchants.
How is PCI SSC helping organizations to address some of these challenges?
Jeremy King: Our aim is to help secure cardholder data regardless of the channel and process used. PCI SSC through the cooperation and collaboration of our community in Europe continues to expand and develop its range of standards and programs to do exactly that.
For example, over the past year we’ve put out two standards that support secure implementation of EMVCo’s EMV® 3-D Secure (3DS) protocol, which protects merchants from exposure to CNP fraud by enabling consumers to authenticate themselves with their card issuers when making online purchases through web browsers or via mobile applications.
This year we also introduced a new Software-based PIN Entry (SPoC) Standard and program aimed at enabling merchants who do not have a fixed location to accept card-based chip and PIN transactions in a secure manner. This is ideal for small merchants such as service engineers, or those running market or event stalls. It’s also an option for merchants looking to queue-bust or simply provide a better service to their customers.
Talking of small merchants, the PCI Small Merchant Task Force just rolled out new PCI Data Security Essential Resources for Small Merchants. Building on previously released guidance for small merchants, the PCI Data Security Essential Resources now include a tool that takes merchants through the process of evaluating how they are addressing critical security risks for their specific payment environment.
Why is the involvement of the payment card industry in Europe important to the development of security standards?
Jeremy King: One of the most important aspects of the PCI Standards and programs is that they are global. It is therefore essential that we have input from European industry stakeholders to ensure that our standards are relevant and appropriate for European merchants and other organizations. The great news is that Europe is significantly involved in PCI SSC. The European Card Payment Association (ECPA) as Strategic Regional Member has representatives on the PCI SSC Management Committee and PCI SSC Working Groups; European Affiliate Members Pan Nordic Card Association, Dutch Payments Association and Cartes Bancaires also have representatives on the PCI SSC Working Groups. We have strong European representation on our Board of Advisors and in our Participating Organization base, and similar support in our Special Interest Groups and Small Merchant Task Force. This involvement makes a difference and makes our standards and programs better for all.
What will be areas to watch in 2019 from PCI SSC?
Jeremy King: 2019 is going to be another very busy year. We plan to launch the new PCI Software Security Framework, which will provide the payment industry with more consistency in how software can be assessed for security and ultimately a broader range of secure payment solutions. We have also begun work on a contactless on COTS standard. The aim is to develop security requirements for solutions that enable a merchant’s COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader by leveraging the native NFC capabilities inherent to a COTS phone or tablet.
In addition, we will be working on the next iteration of the PCI DSS, which is anticipated for publication in 2020, and seating a new Board of Advisors.
What is certain is that payment technology does not stand still, and unfortunately neither do the criminals, and involvement from payment card industry stakeholders in Europe and globally will continue to be critically important to securing payments.
