When can we expect PCI for Open Banking?

Open Banking is now here in the UK, although not yet completely supported by all high-street banks. As new companies and services are created, we will soon be able to do ever more with our bank details, from account aggregation apps to creating new kinds of payment rules. Not only does this mean a change …

by | June 29, 2018 | SmartDebit

Open Banking is now here in the UK, although not yet completely supported by all high-street banks.

As new companies and services are created, we will soon be able to do ever more with our bank details, from account aggregation apps to creating new kinds of payment rules. Not only does this mean a change in what can be done directly from our bank accounts, it means our bank account details themselves are now the source data we use to make payments. This is important, because it changes the power dynamic for criminals when choosing what to target. 

Electronic payments and Direct Debit

In the past, only a customer’s bank could make a payment from an account. Then, we had Direct Debit, which allowed companies to take money from customers’ accounts on a regular basis. This mechanism, while powerful, has strong controls on how and when payments are made; it is never ad hoc or without notice, and can be refunded in every case under the Direct Debit Guarantee.

Enter cards and PCI DSS

The only way ad hoc payments could be initiated by non-banks was through credit cards. This made credit card data valuable, and so it naturally became a target for criminals. 2017 has seen over £1 billion stolen from bank accounts through credit and debit card fraud according to recent research.

To combat fraudulent behaviour, the industry got together to create the Payment Card Industry Data Security Standard (PCI DSS), which aimed to ensure that organisations processing and storing credit card details were vetted, or at least worked to specific data and information security standards. The card brands (Visa, MasterCard, American Express, Discover and JCB) first created their own standards with a similar aim of achieving a minimum level of security. The Payment Card Industry Security Council (PCI SSC) was then formed in 2006 to align the brands’ policies, which led to the creation of the PCI DSS.

Open Banking – a new target for criminals?

With the rise in Open Banking, we spin this around again. Bank account data could well become the most convenient source mechanism for transactions and payments. No matter the security we put in place, bank account data may become as attractive to criminals of the future as credit card data was in the past.

My question to the industry is: do we need a PCI equivalent standard for bank account data?

The UK Financial Conduct Authority has been increasing its accreditation requirements for providers, but I’m not sure this is sufficient. Right now, bank account data can be treated and processed with no more ceremony than any other personal data. Is this good enough given how much more useful such data may become? Responsible processors such as SmartDebit have always treated bank account data with the same care as credit card data, but that isn’t the case universally and there are no industry standards in place to ensure bank data is stored securely.

My prediction is that this lack of security regulation on bank account data will survive a couple of high-profile breaches before the industry and regulators take action. If they don’t, nascent confidence in Open Banking as a framework could start to collapse. I just hope it’s not my bank details caught up in the news that eventually highlights the way.

Categories:

Resources

Top Strategic Technology Trends for 2021: Privacy-Enhancing Computation

White Paper | Behavior detection & predictive analytics Top Strategic Technology Trends for 2021: Privacy-Enhancing Computation

R3

Top Strategic Technology Trends for 2021: Privacy-Enhancing Computation

Gartner has identified privacy-enhancing computation as a key enterprise technology trend for 2021 and enabler for processing and analyzing highly… Continue Reading

View resource
Quartz™ Magazine - The New Age

Case Study | Consultants Quartz™ Magazine - The New Age

TCS Financial Solutions

Quartz™ Magazine - The New Age

This edition of the Quartz magazine features launch of Quartz Crypto Services, insights from our first Quartz Live event on… Continue Reading

View resource
Quartz™ Magazine - The Future will be Tokenized

White Paper | Infrastructure/architecture Quartz™ Magazine - The Future will be Tokenized

TCS Financial Solutions

Quartz™ Magazine - The Future will be Tokenized

Quartz is building ecosystems that bring together participants in industries including energy and utilities, government, financial services and real estate. Continue Reading

View resource
Euroclear Finland Modernizes with TCS BaNCS for Market Infrastructure

Case Study | Behavior detection & predictive analytics Euroclear Finland Modernizes with TCS BaNCS for Market Infrastructure

TCS Financial Solutions

Euroclear Finland Modernizes with TCS BaNCS for Market Infrastructure

Euroclear Finland in 2012, sought to align its corporate actions processing with the emerging European market harmonization efforts along with… Continue Reading

View resource