What’s Next For The PCI Security Standards Council?

I don’t think anyone in the payments arena has any doubt that credit/debit cards, in their current form, will die over time in favour of mobile devices. It’s a natural next step to replace something ubiquitous with something even more ubiquitous.

So where does that leave the SSC, and the card schemes themselves for that matter?

You only have to look at Visa Europe’s website Visa Vision to see that they are moving towards mobile (and other innovations), and articles like The Revolution is Here, do not even mention EMV, and the only reference to plastic is in a future past-tense.

It also begs the question as to why the card schemes are pushing EMV when they themselves see an end to their reign-of-plastic. But the answer is obvious, the cost of fraud over the next 5 – 10 years far outweighs the cost of the transition. The US alone saw $7.1B in credit card fraud in 2013 (according to Business Insider), and I have estimated that the cost of EMV transition in the US is ‘only’ $12B (Why the US Will Not Adopt EMV (Chip & PIN), EMV in the US, a 12 BILLION Dollar Mistake).

So why am I so anti-EMV? Because there are technologies NOW that can replace it, are in more hands, and more widely distributed than cards ever were. Your mobile phones.

So back to my point; what WILL the cards brands and the SSC do once the plastic dies? Clearly the brands have an enormous leg-up on any new player in the cashless game, and have massive amounts of capital to invest in meeting every aspect of this [so-called] disruptive innovation; research on innovation, testing proofs-of-concept, garnering adoption within the finance community, and of course, rolling it out to end users.

Mobile phone companies made a small play, and missed, banks could have done it, and didn’t, and large retail could have had a huge impact, and haven’t. Probably because in these three case – even banks – payments is not a core function. Being PAID is core, making the payment is not, so only the card schemes have payments as their entire reason-to-be, and therefore the most motivation.

OK, so if we assume that the card schemes are going to make a huge play in every cashless payment innovation from this point forward, where does that leave the SSC? Probably in exactly the same place, with only one change in title; From Payment Card Industry Security Standards Council, to Payment Industry Security Standards Council.

Regardless of the form of payment there HAS to be a security standard around the protection of the data. Not that the current standards are anywhere near adequate, even for cardholder data, but the SSC has significant experience adopting and implementing standards globally. From mobile apps, to software PINs, to identity management (for KYC, AML etc.) to crypto-currencies, everyone developing technologies must adhere to a minimum set of protective baselines.

So am I really proposing, after so many less-than-positive blogs related to the PCI DSS and the SSC, that they be a standards body for every form of payment globally? Well, no, I’m not, but I think that if they don’t TRY to be just that (with the card brand’s backing), there is no-where else for them to go.

Despite my voluble criticisms of the card brands and the SSC alike, they ARE well placed to do good. I hope they take the opportunity now, because it won’t come again.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.