At RBTE at Olympia London, May 09 2017, a panel of payment security experts considered the future of secure payments and the impact that EU GDPR will have in a panel session titled Strengthening security without losing sales.
Jeremy King, international director of the PCI Security Standard Council, admitted that PCI compliance is “an expensive, massive thing”, especially, he noted, for smaller merchants without the IT team or the understanding of data and payment security. In comparison to the upcoming EU GDPR, however, he says the cost pales in comparison. “EU GDPR will hit everyone and the likelihood is that your systems where you store customer data won’t be secure. The cost of fixing that puts the cost of PCI compliance in the shade.”
“The regulators have sharp teeth and they’ll use them, merchants therefore need to take a stronger stance,” added King, “The PCI standards are the best chance they have.”
The size of the merchant correlates to its ability to look after EU GDPR, according to Ian Butler, head of EU security products at Elavon. “The bigger merchants can look after EU GDPR themselves, I won’t have any extra tools for them. The value lies in helping smaller merchants without IT teams. They’ll be the ones that get hit, so there is space to offer broader services to them.”
For PCI compliance, Elavon provide smaller merchants with access to a portal “to work through PCI and get you to a station of compliance". He said: "We have added a new service that offers a call back to talk you through PCI and fill it in for the retailer. They still have to put the right measures in place technically and through staff training however.”
Transport for London’s analytical manager – fraud prevention, audit and risk, Graeme Forward, admits that despite the size and scale of TfL, it is not completely prepared for EU GDPR. “Are TfL 100% prepared for EU GDPR? No, but can we ever be 100% prepared? EU GDPR is so broad and vast, and for a large organization with outsourced data management, like TfL, the biggest issue is how wide the onus is on third parties.” Forward doesn’t see the UK leaving the EU as having a great impact on these standards. “We’ll still be bound by EU GDPR and will need to work at the highest possible standard.”
King admitted that compliance does not equal perfect security. “If your organization has spent a lot of time and effort on becoming PCI compliant, it can still be breached.” The fall-out however, can be less extreme if you are able to demonstrate compliance. “They are likely to take a more positive review,” he advises.
Innovation and User Experience
Another theme of the panel was balancing payment security with usability. Butler declared that focus needs to be split between “making sure data stays safe in the background, whilst ensuring that the customer can make the payment easily in the foreground.”
The challenge, he added, is to keep up with fast-paced payment technology evolution. “PINs for example are no longer great”, he said. “Start with security and then work on the other elements – we need a sensible middle-ground. A great example is that Amazon don’t bother with 3D Secure because they know their other measures keep them secure.”
For TfL, the user experience is really important. Forward explained that the next big step for TfL is to use big data to marry up services so that users can access their oyster admin, their congestion charge, their cycle hire, all in one place. “It will be fantastic for the consumer. It will give us a headache, but also gives us big advantages. Our job is to keep that data secure whilst also getting all the benefits”, TfL’s Forward said.
For the PCI Councils Standard, customer experience is also important. “A consumer’s experience needs to be seamless, quicker and secure,” said King. In order to achieve that, industry collaboration is essential, he added. “We’re a standards body so our great challenge is that we’re always playing catch-up,” he said. “Regulators in Europe and the UK don’t always get that as well as making payments more secure, we also need to make them quicker.”
Educating the public about how to detect when a website and payment transaction is secure is key, agreed the panel, whilst adding that it’s not easy. “You try to build trust in a brand, which should then breed trust in its payment security”, said Butler.
“We can’t expect card holders to be experts in security, so it’s our responsibility to make those websites as secure as possible,” said King. “Keeping confidence in the brand, the process and the payment structure is everyone’s responsibility.”
Multi-Factor Authentication for Payment Security
King confidently inserted that the EU directive to introduce two-factor authentication will go through and will have “massive implications. We argued vigorously around the ability to use threat analytics, and they have fortunately listened. We need to look more closely at pragmatic approaches – for example, one of the standard second factors is a SMS message – but this doesn’t work if you are using the same phone to make the transaction.”
Butler agreed that “We need to find smarter and different ways of doing multi-factor authentication. RSA tokens are clunky, the sorts of technology emerging are voice and face recognition and sound matching recognition. We need to make it easier for the user to have a second factor”, he concluded.