Acquirers and issuers should “band together” to meet payments standards and allow merchants to get on with transactions, according to a panel at an industry event in London this week.
John Greenwood, executive director at Compliance3, told attendees that payments organisations need to “get the balance right” between customer experience, risk, security and cost, but must also band together in helping the ecosystem tackle new challenges: “Acquirers in particular have a big say in getting the message across and it should be about everyone joining together for simplification.”
Trevor Reschke, head of threat intelligence at Trusted Knight, said it was “the client” who needed to be number one in the equation, while David Poole, global head of mobile solutions at MYPINPAD, argued that the marker of a successful firm will be one that “removes the complexity of the regulations and standards”. The merchant, he added, should just have to focus on delivering solutions to customers.
Reschke said “the first thing” on his clients’ mind when it comes to new solutions is “does this make us PCI compliant?” and that the affirmative is “all they want to hear”. “We have some other organisations that are very interested in innovative ideas but there is still just this huge chunk of the market that wants to hear that it meets PCI compliance.”
According to a 2018 Verizon study, nearly half (47.5%) of the organizations assessed in Europe for interim PCI DSS compliance validation had not maintained all their controls. The figure was a 2.9% increase from 2017.
Poole suggested that at the end of the day, “the man on the street” doesn’t care what kind of device is put in front of them. “He puts his card in and he puts his PIN into the device. There’s a fundamental trust there. He’s saying: ‘I trust this tradesman, I trust this shop’. The man on the street does not care about the branded terminals. You take a guy into a store and give him something that looks like a payment terminal and he will put his PIN in, I guarantee you. They fundamentally trust the merchant.”
2018 research by PCI Pal indicates that 44% of consumers would stop spending with a business in the aftermath of a breach, while 41% would never return. 31% of respondents reported that they spent less with firms they perceived to have weakened data controls.
On the subject of whether mobile or QR-based payment solutions - like Alipay or WeChat - could become PCI compliant and make their own inroads, Jeremy King, international director at the PCI Security Standards Council, argued that somewhere along the value chain “there is a debit or credit card”. “We’re quite happy to move away from the merchant and along that chain,” he said, but questions remain over the protection of user data.
He said that when challenged by new innovations, it’s tough for standards bodies to keep pace. “We have to observe the market and see which [innovations] gain traction and become more popular. Does that pull us behind a curtain? Yes, it does, but that’s our life as a standards body. I would actually say that we operate pretty quickly, compared with the regulators, which can be terribly slow at times.” King admitted that “pretty quickly” can still mean up to a year before standards catch up with new products on the market. “That’s why we all work best as a community, because then new innovations can be shown to us as they emerge.”
When it comes to securing payments in the Open Banking era, said King, one has to consider that there isn’t “just a selection of data siloed in one channel”. “Things can be spread across multiple channels. This is where your mindset is key, and we’re all in a transition together. Maybe in the future we’ll transition away from PINs, but we’re there right now.”