PCI DSS is an abbreviation for Payment Card Industry Data Security Standards. It has evolved into a very mature security standard within the last few years. Considering the rise in data breaches, the rules of the PCI DSS have been updated. The previous year, the Payment Security Report published by Verizon highlighted several essential points regarding PCI compliance.
Only 50% of retailers passed their interim audit. Furthermore, the report stated that around 80% of the total security breach victims were non-compliant with PCI DSS. The data is an alarming correlation, especially for those working on the PCI security controls.
This situation raises essential questions. What does the future hold for PCI DSS? Why is there so much non-compliance with the requirements of PCI DSS? Will card payment fraud ever end?
A Brief History of PCI DSS
Previously, adopting PCI DSS was rare due to the cost associated with compliance, but the application’s intricacy was a severe problem. Long-term business planning could result in a timeline of several years. Only major enterprises could de-scope (minimize the use of card data), and even then, it took them several months to complete the project.
Current Situation of PCI DSS
Nowadays, de-scoping has become essential, primarily for point-of-sale systems. The introduction of P2P (point-to-point) encryption allows only the encrypted data, which removes store systems from the umbrella of PCI.
These advantages are obvious but may not be very straightforward to implement. The most challenging part is de-coupling the PED (Pin Entry Device) from the Point-of-Sale system. Adding to the problem is the business model of P2PE (point-to-point encryption), which creates a considerable hindrance. P2PE is usually the whole package, and the PED provider handles the payment transactions. However, this makes the procurement process significantly more demanding and more complex. Therefore, P2PE may adversely impact the PCI.
On the other hand, GDPR (General Data Protection Regulations) also poses a problem as the customer’s personal information is handled in-store. This means that additional security is required on point-of-sales systems.
The Future of PCI
With the rise in mobile phone payment solutions, many industry experts are discussing the future of PCI, especially within retail, where it is most extensively used. Due to these new payment solutions, retailers may not need any card data at all.
The main issue with PCI is that P2PE may be an effective solution to minimize the need to store cardholder data. Other mediums, such as call centers and e-commerce, are still within the scope and responsibility for card information data theft. Most card fraudulent activities originate from these channels, which is alarming.
Card cloning (a technique where someone obtains the credit card details, copies them to a duplicate card, and starts using it) also remains an illegally rewarding fraudulent technique. The increase in CNP transactions and the mechanism to prevent fraud have evolved into more delicate methods, like checking the transaction velocity (analyzing unusual transaction patterns).
The future prediction is that CNP (Card Not Present) transactions will shift towards different payment channels, rendering the card number used at the call center or website useless. Rather than getting card information from the customer, the company will directly send the payment request to the customer’s mobile device using Google Wallet or Apple Pay.
These payment methods using mobile phones are undoubtedly the future of transactions, and rightly so. This marketing method suits everyone: customers, retailers, and card companies, as the entire method is out of the scope of PCI. The cardholder’s personal information is safe with the service provider due to the one-time generated token payment system.
Since there is no direct contact in the payment process, the merchant does not regularly see card data, and card fraud minimizes the probability. The shift towards these new payment habits may take some time. Moreover, it will also affect processes like bookkeeping, internal controls, and security, which will be tailored to incorporate these new payment methods.
About Complete Controller® – America’s Bookkeeping Experts Complete Controller is the Nation’s Leader in virtual bookkeeping, providing service to businesses and households alike. Utilizing Complete Controller’s technology, clients gain access to a cloud platform where their QuickBooks™️ file, critical financial documents, and back-office tools are hosted in an efficient SSO environment. Complete Controller’s team of certified US-based accounting professionals provide bookkeeping, record storage, performance reporting, and controller services including training, cash-flow management, budgeting and forecasting, process and controls advisement, and bill-pay. With flat-rate service plans, Complete Controller is the most cost-effective expert accounting solution for business, family-office, trusts, and households of any size or complexity.