PCI meeting confirms m-payments interest
By Retail Technology | Friday November 1 2013
Mobile payments emerge as a hot topic as annual regional meeting focuses on PCI DSS update, point-to-point encryption and 2014 Special Interest Group projects
More merchants are expressing an interest in understanding the security implications of using mobile technologies to accept card payments, it emerged this week at the sixth annual European meeting of Payment Card Industry (PCI) community stakeholders.
Hosted in Nice, France, by the PCI Security Standards Council (PCI SSC) as the global forum for the development of payment card data security standards (DSS), this year’s meeting attracted more than 500 global payment security professionals from 40 countries who play an active role in PCI standards development.
A key focus for the meeting was to drive understanding and discussion of upcoming new version 3.0 of the PCI DSS and Payment Application (PA) DSS standards in the context of the current payment card security landscape.
Education and awareness priorities
Jeremy King, European director for the PCI Security Standards Council, told RetailTechnology.co.uk that common version 3.0 themes around improving staff education and awareness of security risks were also high on the European meeting agenda.
“One of the key messages is that everybody understands the role they play – whether they’re the CEO or the cashier – in having a direct impact on the security of that retail environment and how they can help protect that retailer from being breached,” he said. “We’ve tried to enhance that by improving the training requirements throughout the standard, for example around the security of the physical point-of-sale device.”
Troy Leach, PCI Security Standards Council chief technology officer, added that mobile payments were also a common conversation topic. “We’re starting to hear, ‘what can I do with mobile?’ and seeing opportunity for new channels and ways to accept payments,” he said. “We’re particularly seeing this in the European market where we already have advanced chip and PIN technology solutions.”
Mobile point-of-sale interest
But Leach drew a distinction between interest in mobile point-of-sale activity and mobile-enabled contactless, near-field communication (NFC) payments. “The PCI Council’s focus has primarily been on when a merchant takes other people’s credit card information and doing that in a secure way that adds the benefit of using remote mobile technologies,” he added.
He pointed to Gartner Research prediction that the numbers of merchants able to take mobile payments will more than double by 2016. “It is of significant interest to merchants who may already have a retail or e-commerce channel. They’re seeing that this as the next great opportunity for enhancing their customers experience through how they accept payments.”
The Council also updated stakeholders on current PCI technology initiatives around mobile payment acceptance, tokenisation and point-to-point encryption (P2PE), announcing the availability of its validated solutions listing for merchants and acquirers looking to deploy P2PE technology to simplify their PCI DSS security efforts.
Building and sharing best practice
PCI community members were also given the opportunity to interact with their peers on challenges and lessons learned in 'PCI in Practice' case study presentations, as well as hear proposals for suggested PCI Special Interest Group (SIG) projects in 2014.
PCI participating organisations will have the opportunity to vote for the SIG projects they would like the community to pursue in the year ahead, from 4 November through 15 November.
PCI DSS and PA DSS v3.0 will be published 7 November 2013. The standards come into effect 1 January 2014, but version 2.0 will remain active until 31 December 2014 to offer participating organisations adequate transition time. Despite this timeframe, results of a survey released this week found relatively low levels of version 3 readiness.
The European meeting was the second of three regional PCI Community Meetings held this year. PCI Participating Organisations in Asia-Pacific will also have the opportunity to discuss PCI Standards updates and initiatives in Kuala Lumpur, Malaysia, on 20 November 2013 and can find more information about the event here.