Recognizing there is no one-one-size-fits-all approach to data security, the PCI Security Standards Council continues to evolve its requirements toward a goal of greater flexibility for payments providers. The new approach comes as the Council contemplates a new version of its core security standard.
Gathering in Vancouver, B.C., this week at its annual North America Community Meeting, the rules-setting body for electronic-payments security discussed topics that included the need for greater input from payments companies and development of security standards for contactless payments made on mobile devices.
To attract more industry input during the development and revision process for a standard, the PCI Council will offer multiple opportunities for industry feedback. In the case of its flagship PCI data-security standard, the PCI Council is sharing a draft of the planned updated standard for review for the first time. Previously, the revision process included one request for comment period based on the current version of the standard. The first request for comment period, which solicited feedback based on the current PCI DSS 3.2, was in late 2017. Two periods for feedback where drafts of the planned PCI DSS 4.0 are shared with stakeholders are scheduled for October and mid-2020.
All new standards and major revisions to existing standards will have a minimum of two requests for comments. Minor revisions will have at least one request for comment period. Notices to solicit industry feedback will be made public 30 days in advance of the start date.
“Payment-data security is changing and we want to make sure that the PCI standards going forward are adaptable with the new technologies being deployed in the payment industry,” Troy Leach, chief technology officer for the Wakefield, Mass.-based Council, tells Digital Transactions News. “At the same time, we want to make (industry) feedback more transparent.”
One technology for which the PCI Council is preparing a new standard involves contactless payments initiated using a mobile device. That standard is scheduled to be published by year’s end.
After years of fits and starts, contactless technology is gaining momentum in the United States thanks to ongoing adoption by mass-transit agencies. A rollout of open-loop contactless fare systems this year by New York’s Metropolitan Transportation Authority (MTA) and the Miami-Dade County Department of Transportation and Public Works are expected to significantly boost U.S. contactless volume. New York’s MTA reached 1 million taps in August after launching May 31. The Miami-Dade DTPW system has more than 6 million monthly bus and train riders.
Many contactless transactions, especially in transit, are made with smart phones. Mobile-based contactless apps typically include a tap-and-go feature within the device making the form factor perfect for quickly moving commuters through a turnstile. Both the MTA and Miami-Dade DTPW fare systems support mobile devices.
“Smart phones are becoming a bigger form factor in payments, especially for transactions in quick-moving environments such as transit,” Leach says.
In addition, the Council is planning to make major revisions to its PCI data-security standard, which it has not revised in a significant way for about six years, Leach says. As noted, the new version of the security standard, which is the standard from which all other PCI Council security rules are derived, will first be open for review in October.
“The plan is to make the standard more dynamic so that this standard and all other standards that evolve from it will be adaptable to the next generation of payment technologies,” says Leach.
The Council was founded in 2006 by American Express Co., Discover Financial Services, JCB International, Mastercard Inc., and Visa Inc., which collectively govern the organization.