As credit card payment matures in Asia and dominates the online retail market, cardholders’ information has increasingly become target for criminals. It is particularly the case with the adoption of cloud computing, where technology providers and retailers have yet to define their responsibilities in credit card information.
PCI Security Standard Council plans to build a stronger presence in Asia to provide support for the credit card providers, merchants and cardholders in Asia. Jeremy King, PCI European Director, talked with Retail Tech Innovation about their plans in Asia and how PCI Security Standards bring guidance to merchants in the era of cloud.
What does PCI do?
The payment process between the merchants and the payment service providers, especially in the e-commerce space, creates a potential for data breaches and criminals are targeting the gaps. We provide training and guidelines for merchants to meet the PCI Security Standards in order to protect their customers’ data.
There is currently one security standard across the world. But it is a constant evolvement. This year the council published two guidance documents on cloud computing and e-commerce. They are prepared by experts in our special interest group, which include vendors and merchants. It’s truly a guidance that’s written for the community by the community.
PCI works its absolute best as a community. People should never see PCI as something being enforced to them, but something that they can actively participant. We run different special interest groups and look at areas that are seen to be a challenge.
How is the development of PCI’s community in Asia?
We are in discussion with China Union Pay for their involvement within the PCI council. JCB from Japan has been involved and actively driving the PCI standards. We have conducted training in Japan and translated many documents into Japanese and Chinese.
There are 650 special groups around the world and 43 of them are based in Asia Pacific, mainly from Australia and New Zealand. We are aiming to expand the communities and involve more parties across Asia Pacific to identify issues and challenges for the region.
One major challenge among merchants appears to be cloud computing, how do the council help merchants in this area?
Cloud computing is increasingly popular, as merchants are enjoying significant cost saving by moving data to the cloud. The major challenge is the understanding of responsibilities between the parties: Who is responsible for what?
Before organizations adopt cloud services, I urge them to read the contract carefully. Cloud providers offer different options and price points. But very often when merchants want to access the data then they realized they have no right to it. Merchants should be clear where do the responsibilities lie between themselves and the cloud providers. What happen if there’s a breach and an investigation is needed? How’s the data backup? If they want to move to different cloud providers, can they do it? What happen to the data that used to host at the cloud providers? Our latest guidance document provides guidance for merchants to work with their cloud providers to answer these questions.
How do mobility changes the way cardholder information is being protected?
Major challenges with mobile commerce is that, mobile device have yet to become a secure platform. When you look at standards payments, these processes have been around and refined for years. The average lifecycle of a physical card terminal is 7-10 years, but in the mobile world, you are almost replacing years into months. If it takes two years to build a secure mobile platform, that’s already too long, but if you build an insecure mobile platform, it’s equally a problem.
We are trying to work with different parties within the industry to develop guidelines and training for merchants to develop mobile apps at a shorter timeframe without compromising security.
What other training does PCI provide?
We have training courses ranging from general PCI awareness, which is available to anyone within the organization, to technical security audit programs. We encourage merchants to participate in the QSA (Qualified Security Assessor) program, so they will understand auditing process and areas from the PCI Council. We have just started to provide training in the region and a week long program was held in Sydney recently.
We also offer the Qualified Integrator or Reseller (QIR) program, which targets software providers. We discovered that data breaches often occur when software was not developed or installed securely, so the QIR aims to train software providers to develop a more secure environment.
How are the PCI standards updated to ensure they covers the evolving technologies?
The PCI standards are updated on a three-year lifecycle. 2013 is the year for update, so last year we reach out to the community to find out what needs to be changed and what are relevant or need to include in the standards. From these feedbacks, we are able to have the standards remain relevant and provide the best level of security for the merchants.
This year will be the 4th update of the PCI standards. Different special groups and communities were involved to identify areas to update, driving discussion for clarifications and seeking experts to publish guidance documents for the community.
CEO Talking Shop is the Retail in Asia section devoted to interviews with brand CEOs and retail industry leaders.