How EMV Could Affect Role of PCI-DSSPCI Executive Sizes Up Evolution of Standard
The PCI Data Security Standard will remain viable even after EMV, as well as encryption and tokenization, become more common, argues Jeremy King of the PCI Security Standards Council. He acknowledges, however, that the standard will have to evolve in light of changes in the payments system.
Still, some merchants and security pundits assert that compliance with the PCI-DSS will become irrelevant once less payment card data is transmitted in the clear (see Is PCI-DSS Still Viable?).
But King says it will take years for the rollout of tokenization and end-to-end encryption to be completed. And once the U.S. migrates to EMV, "we will see a move of the fraud to card-not-present," he says during this interview with Information Security Media Group. "Therefore, it is essential that merchants are following the PCI-DSS," to ensure they have good levels of data security.
King acknowledges, however, that tokenization and encryption could eventually simplify PCI-DSS compliance because less cardholder data will be exposed.
"Tokenization, especially in the face-to-face [card-present] environment, such as is used through Apple Pay, is a great way of removing cardholder data out of that environment. And so for those merchants, it will reduce their PCI-DSS scope and requirements."
But until mag-stripe transactions are completely eliminated, PCI-DSS requirements will remain relevant, he contends.
Eventually, however, PCI-DSS will need to evolve in light of changes in the payment environment, King acknowledges. "We'll watch which way the market moves .... We will adjust and we will move to wherever data needs protection. And that will be beneficial to the merchants, and beneficial to the vendors."
During this interview, King also discusses:
- How the evolution of PCI-DSS compliance will be influenced by changes in the payments landscape;
- How emerging technologies will reduce the expense associated with PCI-DSS compliance; and
- Why the migration of fraud to the card-not-present environment is a serious concern.
King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.