Secure Marketspace with Mike D'Agostino

A World Without Payment Cards (and PCI Compliance)

Credit and debit cards are everywhere. I use mine daily, and I suspect many functioning adults in the U.S. and beyond do as well. For me, convenience is a major factor in their use -- instead of carrying around wads of cash, I can carry a single piece of plastic and use it to accomplish the same goal -- buy things. If I lose my wallet or worse, get robbed, I'm out a small piece of plastic instead of actual cash.

But payment cards are really just a means to access how much cash I have (debit cards) or how much cash I might be able to reasonably pay back (credit cards). And as such, the form-factor doesn't really matter. If, instead of a piece of plastic, I used a rock to associate my physical presence with the cash or credit I have available, would I be discussing payment rocks as opposed to payment cards? Payment cards, to me, represent an intermediate step from an all-cash physical-based currency to one that is completely credit-based and electronic. They just happen to be the current form-factor of that transition.

And so as the finance, retail and associated industries continue to struggle with combating data breaches and the complexities of PCI compliance, I can't help but think that the ultimate issue is data security. That's a broad term that I believe encompasses everything from authentication to encryption, however it has nothing to do specifically with payment cards. Why does the form-factor matter? Why don't we just call it "DS Compliance" (data security compliance) as opposed to "PCI Compliance"?

My take is that the payment card companies demand a stake in the all-encompassing financial empire. Visa, American Express, Discover and others - those are the companies that are issuing payment cards. They want people to use their cards; they do not want people to use alternative payment methods. Therefore, it is in their best interest to promote a payment card monopoly. Instead of focusing on overall data security, they are focusing on payment card security -- why else would it be called the Payment Card Industry Data Security Standard?

What happens if a secure biometric comes along that allows people to authenticate themselves and financial transactions without having to use a payment card? What if a financial institution can provide a method of authenticating transactions using this biometric without the need for a payment card or payment card companies? Would PCI Compliance still be relevant? After all, PCI Compliance is something drafted by payment card companies and not through a federal regulatory agency.

The issue is that PCI Compliance addresses security implications not completely reliant on payment cards. Building and installing firewalls, encrypting data in transmission, tracking and monitoring network resources...these are all things that ANY operation dealing with sensitive data should be practicing, not just those dealing with payment card data.

PCI Compliance is starting to have a monopolistic feel to me. It's like Microsoft drafting operating system standards with the notion that everyone will use a Microsoft operating system. That simply isn't the case!

When discussing the future of PCI Compliance we must envision a time when payment cards are not the standard protocol for authenticating and performing transactions. Just because payment cards -- little pieces of plastic with a magnetic stripe issued by one of just several large companies -- are the standard today does not mean they will be the standard method of payment tomorrow. Instead of focusing specifically on payment card data security, the industry should focus on data security, period. This will help ensure no matter the form-factor or method of payment, whether through a piece of plastic or a rock or biometric or otherwise, that the underlying sensitive data is most secure.

Perhaps the payment card companies should not be the ones drafting data security standards, and we can lose the "PCI" moniker.

Should payment card companies be responsible for drafting data security guidelines? Or do we need a more "unbiased" authority creating security standards that apply to sensitive data in general?



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.