Why PCI Security Standard Adoption Is Growing in EuropeBanking Deregulation, New Breach Notification Rules Drive Uptake
While the Payment Card Industry Data Security Standard gets credit for helping to push U.S. retailers to improve card data security, it's also had a big impact in Europe.
See Also: What is next-generation AML?
"There's a lot more e-commerce maturity in the U.K. than we see in the U.S., and also the chip-and-PIN infrastructure that's been deployed ... in Europe," says Andrew Barratt, the international managing director for Coalfire Systems, which provides compliance services, including PCI auditing. That maturity, however, "doesn't remove the need to protect the card data," he adds, as well as to comply with PCI.
"There's a lot more e-commerce maturity in the U.K. than we see in the U.S., and also the chip-and-PIN infrastructure that's been deployed ... in Europe."
This year marks the 10th anniversary of the launch of the PCI Security Standards Council, which has been instrumental in driving adoption of the PCI DSS, which was first introduced in 2004 (see PCI Turns 10: Will It Last Another 10 Years?).
In the past 10 years, PCI DSS has become a widely used standard throughout Europe. All of the card brands in Europe - Visa and MasterCard dominate, while American Express is up and coming - strongly push PCI, Barratt says. Furthermore, PCI has always been taken quite seriously in the U.K., Germany and France, Barratt contends.
But just as in the United States, not all European organizations that process payment card data understand their PCI compliance responsibilities, says information security consultant Brian Honan, who heads Dublin-based BH Consulting and founded Ireland's first computer emergency response team.
"Very often, many think that PCI only applies to them if they process the credit cards via their website," he tells me. "They are not aware they are obliged to comply with PCI DSS even if they outsource the processing of credit cards to third parties, if they accept credit card payments over the phone, or even in person. So there is still a lot of work to be done to make companies become more aware of their responsibilities and obligations when accepting credit cards."
Deregulation Drives Uptake
Now, however, in more countries in Europe, especially Spain, "some of the big acquiring banks are really starting to push the market for [PCI] compliance, because they're concerned about the risk of fraud, as much as anything," Barratt tells me.
That push is the result of many European countries deregulating their banking industries by jettisoning onerous rules, as well as interbank or cross-border money-moving fees, all of which has opened up their markets to competition. Many service providers as well as acquiring banks - which process payment card transactions on behalf of merchants - use PCI compliance as a competitive advantage, Barratt says. For example, they use compliance to demonstrate their suitability for operating in new markets. In addition, acquiring banks typically contractually enforce PCI compliance on merchants as a fraud-prevention measure, he says.
PCI, of course, is a global standard, but Barratt says recent updates will be especially applicable to European security practices. That includes PCI recently updating its ecommerce guidance in light of recent attacks. As European organizations increasingly implement point-to-point encryption and tokenization, he says, PCI standards will also help shape related decisions.
Barratt says upcoming PCI guidance relating to telephony-based payments, including alternative ways to handle payment card data over the phone, should help merchants in Europe and beyond that are in pursuit of an "omni-channel payments system." That's an industry buzzword referring to having one all-encompassing payments infrastructure that covers all payment channels.
EU Breach Notifications: PCI Impact
Under the EU's new General Data Protection Regulation, which will be enforced beginning in 2018, organizations that do business with Europeans will also be legally required to inform consumers when their personal data get exposed. "Should that breach impact credit card data, which would be deemed personal data under GDPR, then the company will have to notify the authorities of the breach," Honan says.
That's a first for Europe, and the increased breach transparency will likely "focus the mind of consumers, regulators and inevitably companies" on acceptable cybersecurity practices - including demonstrating PCI compliance, he says.