PCI DSS, a Self-Inflicted Catalyst for Disruptive Innovation?

For those of you who are unfamiliar with the concept of ‘Disruptive Innovation’ (like me until 5 days ago), it is defined as;

a process by which a product or service takes root initially in simple applications at the bottom of a market and then relentlessly moves up market, eventually displacing established competitors.” (http://www.claytonchristensen.com)

For decades, the card schemes (Visa, Mastercard, Amex, Discover etc.) have ruled the non-cash payments space, despite the fact that the technology behind the credit card; the card number, is now over 60 years old. There have been few alternatives proposed because:

  1. There were none that did not rely on some other form of number or separate device to authenticate. For example, bio-metrics has never been 100% free of false positives or false negatives, and therefore is not accurate enough for the payments space. Yet.
  2. Credit cards worked, the infrastructure is pretty much global, and they are still expanding.
  3. The card brands themselves are very aggressive in protecting their empires.

Even the PCI Standards (PCI DSS, PA-DSS, and PTS) can be seen as innovation stiflers, because it’s so difficult to achieve compliance that most organisations have little time or money left to experiment. Also, no-one wants to be the first to stray from the established norm as there’s simply too much to lose, and recovery is increasingly difficult given the globalisation of competition in almost every industry sector.

But, with the massive amount of innovation that AVOIDING PCI has spurned, the number of non-card-brand options has increased to the point where only the most naive of organisations are not looking around for alternative payment methods. Why use a credit card when consumers can obtain lines of credit directly from their banks and access this from their mobile device faster, more securely, and without the outrageous fees the card brands have charged all these years?

The Internet is more distributed and available than the card brands can ever be, and mobile devices already outnumber card payment terminals by orders of magnitude. There will soon be more smartphones than PEOPLE in the world, so the demand for efficiency and functionality will only increase.

And what of chip and PIN (a.k.a. EMV)? Why would anyone bother buying the expensive payment terminal (PED) models currently provided by the Ingenico’s, Verifone’s, and Micros’s of the world, when a simple software ‘fix’ on ANY terminal will provide the same functionality? Functionality that is portable to every form of transaction, from card present, to eComm, to mobile (e.g. myPinPad).

OK, so the last paragraph assumes you’re still using a credit cards, but it just goes to show the knock-on effect that the demise of credit cards will engender. PED manufactures will move into something else that requires hardware, encryption and centralised management (B.Y.O.D perhaps?), most QSA companies will fail (or start doing security properly for a change), and the banks will be held fully accountable for the security of their customer’s payment transactions.

So PCI, which started out as an attempt to keep the US Fed off the card brand’s backs, has, through its complexity, expense, and inflexibility, driven the type of innovation from which there is no turning back. The card brands will either spend all of their money buying companies that provide credit card alternatives in order to future-proof themselves (like Visa buying a stake in Square for example), or they will fail.

I’d say they have 5 – 10 more good years, you simply can’t replace something as ubiquitous as the credit card until the new payment methods have worked out all the kinks. That said, it’s the Internet again that will provide the platform, and software applications that will provide the function, so global distribution is as simple as going online.

I can’t wait to see what’s next.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.