RBTE 2017: PCI compliance is cheap compared to EU GDPR, says payment security panel

Jeremy King, international director of the PCI Security Standard Council, admitted that PCI compliance is “an expensive, massive thing”, especially, he said, for smaller merchants without the IT team or the understanding of data and payment security.

However, he added that the cost pales in comparison to the upcoming EU General Data Protection Regulation (GDPR). “EU GDPR will hit everyone and the likelihood is that your systems where you store customer data won’t be secure. The cost of fixing that puts the cost of PCI compliance in the shade.”

“The regulators have sharp teeth and they’ll use them," he warned. "Merchants therefore need to take a stronger stance. The PCI standards are the best chance they have.”

The size of the merchant correlates to its ability to look after EU GDPR, according to Ian Butler, head of EU security products at Elavon. “The bigger merchants can look after EU GDPR themselves, I won’t have any extra tools for them. The value lies in helping smaller merchants without IT teams. They’ll be the ones that get hit, so there is space to offer broader services to them.”

For PCI compliance, Elavon provides smaller merchants with access to a portal to work through PCI and help them reach a station of compliance, says Butler. "We have added a new service that offers a call back to talk you through PCI and fill it in for the retailer. However, they still have to put the right measures in place technically and through staff training.”

Graeme Forward, Transport for London’s analytical manager of fraud prevention, audit and risk, said no company can ever be fully prepared for the introduction of the new measures.

“Are TfL 100% prepared for EU GDPR? No, but can we ever be 100% prepared? EU GDPR is so broad and vast, it has to be treated as a continuous journey of improvement. For a large organisation with outsourced data management, like TfL, the biggest challenge is how wide the onus is on third parties."

Forward also doesn’t believe the UK leaving the EU will have a great impact on these standards. “We’ll still be bound by EU GDPR and will need to work at the highest possible standard.”

King admitted that compliance does not equal perfect security. “If your organisation has spent a lot of time and effort on becoming PCI compliant, it can still be breached.” The fall-out however, can be less extreme if you are able to demonstrate compliance. “They are likely to take a more positive review,” he advised.

Innovation and user experience

Another theme of the panel was balancing payment security with usability. Butler declared that focus needs to be split between “making sure data stays safe in the background, whilst ensuring that the customer can make the payment easily in the foreground.” The challenge, he added, is to keep up with fast-paced payment technology evolution. “PINs for example are no longer great”, he said. “Start with security and then work on the other elements – we need a sensible middle-ground. A great example is that Amazon don’t bother with 3D Secure because they know their other measures keep them secure.”

For TfL, user experience is of huge importance. Forward explained that the next big step for TfL is to use big data to marry up services so that users can access information on areas such as their Oyster card, congestion charge and cycle hire all in one place. “It will be fantastic for the consumer. It will give us a headache, but also gives us big advantages. Our job is to keep that data secure whilst also getting all the benefits”, TfL’s Forward said.

For the PCI Councils Standard, great customer experience is also critical. “A consumer’s experience needs to be seemless, quicker and secure,” said King. In order to achieve that, industry collaboration is essential, he added. “We’re a standards body so our great challenge is that we’re always playing catch-up,” he said. “Regulators in Europe and the UK don’t always get that as well as making payments more secure, we also need to make them quicker.”

Educating the public about how to detect when a website and payment transaction is secure is key, agreed the panel, whilst adding that it’s not easy. “You try to build trust in a brand, which should then breed trust in its payment security”, said Butler.

“We can’t expect card holders to be experts in security, so it’s our responsibility to make those websites as secure as possible,” said King. “Keeping confidence in the brand, the process and the payment structure is everyone’s responsibility.”

Multi-factor authentication for payment security

King confidently said that the EU directive to introduce two-factor authentication will be passed and will have “massive implications. We argued vigorously around the ability to use threat analytics, and they have fortunately listened. We need to look more closely at pragmatic approaches – for example, one of the standard second factors is a SMS message – but this doesn’t work if you are using the same phone to make the transaction.”

Butler agreed that the industry needs to find smarter and different ways of doing multi-factor authentication. "RSA tokens are clunky, the sorts of technology emerging are voice and face recognition and sound matching recognition," he said. "We need to make it easier for the user to have a second factor."