On the eighth day of Christmas my true love gave to me…
…updates to the PCI DSS 3.0 Standard! While the comprehensive, 112 page set of requirements was probably not on the New Year wish list for most small merchants, improved protection of customers’ information certainly should have been.
The logic for singling smaller merchants out here is that large merchants who already invest heavily in PCI DSS compliance are unlikely to have too many difficulties meeting the new requirements. Meanwhile, PCI regulation remains a daunting prospect for small and independent retailers – a challenge that is no doubt looming larger following updates to the standard on 1 January.
The new version 3.0 seeks to promote greater merchant understanding of the roles and responsibilities of all players in the payment chain with regard to security. Crucially, it also encourages merchants to take a proactive, business-driven approach to data protection, rather than viewing compliance as a ‘tick box’ exercise. However, it is unlikely that small merchants will be able to meet all the new requirements without significant third party assistance, which will of course drive up card acceptance costs.
Indeed, the cost and complexity of compliance – with payment service providers (PSPs) responsible for ensuring merchant compliance of a very large and complex ecosystem – is the cause of the high cost of entry that has traditionally excluded small merchants and sole traders from the world of card acceptance. That is, until the advent of mobile point-of-sale (mPOS) technology.
mPOS has opened up a new level of flexibility for both merchants and PSPs, enabling them to securely accept card payments from mobile devices, rather than a traditional fixed point-of-sale terminal. Encryption, which has been used to protect PINs for many years, is now deployed to ensure that payment data is protected right from point of capture at the mPOS card reader. This means that data – encrypted and therefore devalued – can now be routed through untrusted devices and untrusted networks. With merchant systems unable to ‘see’ cleartext cardholder data, and no access to the keys to decrypt the data (these are securely managed by the PSP), the mPOS application running on the merchant smartphone is not subject to compliance scrutiny. In other words, the merchant is able to accept cards without coming into scope for PCI DSS.
The PCI DSS compliance standard was originally developed in 2004, and is updated every three years as the payments industry evolves to support new payment methods and requires more sophisticated security solutions to combat fraudulent attacks on sensitive data. However, requirements around mobile payment security remain ‘best practice guidance’ rather than a mandate. Version 3.0 does build the guidance closer to the standard with the inclusion of a new section that informs businesses about the purpose of implementing each requirement, though it would good to see mobile payment security moved to the core of the standard in subsequent revisions.
Of course merchants dislike dealing with PCI DSS compliance – their business is selling goods to make profit, not incurring significant costs to protect payment data owned by card issuers. That said, with card acceptance largely a pre-requisite and the financial and reputational cost of falling short of PCI standards, merchants have no choice but to adopt a proactive approach to security as their New Year’s resolution.