As the PCI Security Standards Council celebrates its 10th anniversary, Troy Leach, the council's chief technology offer, offers his assessment of how its PCI Data Security Standard might evolve in the next 10 years.
The types of security controls the PCI-DSS will need to include 10 years from now will hinge on the amount of static payment data used to conduct transactions, he says in an interview with Information Security Media Group (see audio player below photo).
"If we reflect to 10 years ago, I couldn't have imagined that we would have so many payments being run through phones and watches ..." Leach says. "The ecosystem in which payments operates today is different than it was 10 years ago. What we need to be cognizant of is an ability to create dynamic data that changes how those transactions occur, how they work with security. And so as long as there are static data that we need to protect, the relevancy of DSS, or parts of the DSS, to control and protect that information will remain. The question is: What does a payment account number look like in 10 years?"
Evolution of the Standard
Leach says that if payments continue to evolve, relying more heavily on dynamic rather than static data, then the PCI-DSS will have to evolve as well.
"If it is dynamic information, then we have to focus our attention on how that dynamic information is created, how authentication to that transaction occurs, and other relevant aspects of a payment transaction, rather than the ... amount of controls that are required in the diverse types of technology environments we operate in today," he says.
PCI-DSS was created so organizations could re-evaluate how they were actually using and managing cardholder information, Leach says. "If we reflect back to that time, people were not aware of the risks associated with storing cardholder information or using it for loyalty programs or customer management programs. So much of the DSS effort in the beginning was actually to educate about the removal of unnecessary storage of information that was associated with many breaches at the time."
In a dynamic payments environment, however, concerns about stored payment data go away, Leach says.
During this interview, Leach also discusses:
- The PCI Council's accomplishments over the past 10 years;
- How EMV and the PCI-DSS will complement each other;
- Hot topics to be addressed during this fall's round of PCI Council community meetings, which kick off Sept. 20 in Las Vegas.
In his role at the PCI Council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's standards committee.
In the weeks ahead, ISMG will offer a series of interviews and updates about the global outlook for the evolving role of PCI-DSS.