By Kevin Burns
The Payment Card Industry Security Standards Council (PCI SSC) updated its compliance guidance in 2010. Many retailers were hoping the update would give a clear way forward in terms of their PCI DSS compliance. So have their hopes been in vain?
The guidance covered two areas:
1. Europay, MasterCard and VISA (EMV): the guidance concludes that EMV does not address PCI DSS and therefore the two need to coexist. It also goes on to state that: “EMV can substantially reduce fraud in face-to-face environments” and “can mitigate the risk”. So clearly the SSC are supporting EMV but it is still not insisting that EMV become the global standard so UK merchants are put at risk every time they want to accept payment on cards which are not EMV smartcards, and UK card holders are put at risk because their stolen data can be used on cloned cards outside of the UK where swipe is still the default standard.
2. Point To Point Encryption (P2PE): the SSC states that the technology is at an ‘immature’ stage. The reality is however, that there are solutions in the market today which fit the P2PE definition and which are PCI DSS certified.
Most UK merchants who process customer present transactions will be faced with PCI-PTS problems in 2012 because the (EMV) Chip and PIN solution they implemented in 2004/05 will not comply.
Indeed, anyone who has not replaced their PIN Entry Device (PED) estate from 2008 on will have this issue. Committing to a PED replacement (in terms of hardware and engineering to roll it out) is not an insignificant investment so you need to make the right decision and know what the costs are likely to be.
The cost of compliance
A key factor in this decision-making process would be whether to allow for P2PE solutions or not as the requirements on the PED are different to what we have in most merchant environments today and this has cost implications. Similarly, when looking at P2PE you need to consider whether the potential ‘simplification’ of scope is worth the additional cost likely to be incurred when selecting a service provider to deliver the solution versus the continued cost of compliance in-house.
Reports over the past six months put UK merchant compliance at between 11 per cent and 25 per cent, so how do the 75 per cent or more decide on what is best for them?
One answer could be to wait for further PCI SSC guidance during the course of this year, but given the need to plan for PCI-PTS issues in 2012, is this really advisable?
The alternative is to look at solutions that simplify your PCI requirements in the meantime.
Kevin Burns is PCI specialist at BT Expedite