Securing emerging payment channels is a core pillar in the PCI Security Standards Council’s (PCI SSC) strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Standards Officer Emma Sutcliffe, we discuss this pillar and how it’s shaping Council priorities.
What does the Council’s focus on securing emerging payment channels mean?
Emma Sutcliffe: As payments and technology evolve, the Council will introduce new security standards and resources to support secure payment acceptance in new and emerging card and card-rooted payment channels, such as mobile and, in the future, the Internet of Things (IoT).
How does the Council define card-rooted?
Emma Sutcliffe: Card-rooted refers to payment channels utilizing new methods and technologies that do not require the use of a physical card, but that still result in a payment card-based transaction. The Council’s remit will continue to focus on account data security for network card payments, whether a card is involved or not.
How does the Council develop and evolve PCI Standards to secure emerging payment channels?
Emma Sutcliffe: Participation and input from payments industry stakeholders play a key role in our efforts to both evolve existing PCI Standards and to create new standards. This wide-ranging engagement with stakeholders is intended to ensure that our standards continue to support and align with changes in payments and technology.
As an example, we have an engaged and active Mobile Task Force that we work closely with to identify trends in mobile technologies and uses, and how these trends are impacting our standards.
We also collaborate with the broader payments industry through our RFC process, which provides PCI SSC stakeholders the opportunity to participate in the ongoing evolution of PCI Standards by reviewing proposed updates and providing feedback.
What are some examples of how the Council’s focus on securing emerging payment channels is shaping PCI SSC initiatives?
Emma Sutcliffe: Our mobile payment acceptance standards are designed to support secure payment acceptance in new and emerging payment channels. For example, the PCI Contactless Payments on COTS (CPoC™) Standard will expand our existing support for contactless payments with a new standard specifically for solutions that enable contactless payment acceptance on a merchant commercial off-the-shelf (COTS) device using an embedded near-field communication (NFC) reader.
Additionally, as part of the PCI Software Security Framework (SSF), the Secure Software and Secure Software Lifecycle (Secure SLC) Standards and Programs introduce new validation options for software vendors to demonstrate their software products and development processes are designed and implemented with security built in. As the SSF evolves, the addition of future modules may encompass security requirements for emerging payment acceptance channels not addressed by the Payment Application Data Security Standard (PA-DSS).
How does the Council’s focus on securing emerging payment channels ultimately benefit the industry?
Emma Sutcliffe: Vendors benefit by having industry-recognized standards available for use in developing secure payment solutions, with certification and listing that demonstrates their products meets those standards. Merchants and other entities benefit from being able to easily identify payment acceptance solutions that that have been validated as meeting a comprehensive set of security objectives, supporting informed decisions about products that support their needs and protect the integrity and confidentiality of their payment data.