A Finextra member 01 September, 2017, 16:45 1 like

Hardly surprising. PCI-DSS is the most ludricrous set of standards imposed upon merchants who's sole interest is in wanting to take payments quickly and securely from their customers. The fact that the card schemes have allowed the card details to be compromised and used fraudulently simply demonstrates that cards, as currently used, are no longer fit for purpose. The galling fact is that it's the merchants who are having to invest millions of dollars in shoring up their systems for what is in effect, a lack of leadership and advance planning by the card schemes.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 September, 2017, 19:16 0 likes

If retailers move their systems and data to the cloud, will it become easier or harder for them to get PCI DSS certification?

Michael Kyritsis - ACI - London 04 September, 2017, 08:36 0 likes

Ketharaman I sense yours is a rhetorical question, because you're too smart to not know the answer! But for everyone else's benefit I'll offer an answer... retails get huge scope reduction by using a payments solution in the cloud especially if it is a P2PE validated solution. But they are never completely out of scope of PCI DSS because (for example) the card number is still embossed on the card. In this sense I agree wholeheartedly with the sentiments of the first commentor - I'm sure the issuers could secure the data at source.

Rodney Farmer - Realtime Transactions - Little Rock 04 September, 2017, 10:37 0 likes

That is a strong rebuke for a standard that recently celebrated its 10th anniversary.  The standard sets out requirements and ongoing process for segmenting comm networks having sensitive data, encrypting the issuing and acquiring data bases, and encrypting the channel/message and tokenizing the payment credentials.  

Every player (cardholders, banks, merchants, acquirers, processors)  in the payment value chain is susceptible to criminals trying to steal the data; thus, we all must take responsibility for our area.  If anyone in the chain fails to provide sufficient protection, we all lose.  

Large and small merchants alike need only take a certified POS device from a certified provider and avoid doing anything to circumvent the built-in security. Problem solved for a few hundred quid.  Of course, as the data is needed to manage ones business, careful management of payment credentials is an absolute requirement that is all too often overlooked (50% apparently).  

The focus for the past few years has been to "devalue the data", making it useless to the criminal.  Preventing access to data and sufficiently encrypting and tokenizing the same will eventually have the desired result if the standards are applied.  I encourage you to make use of the standards and resources available in the market today. 

Alternatively, I would like to know your thoughts on what is now "fit for purpose", today?

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 04 September, 2017, 11:10 0 likes

@Michael Kyritsis:

TY for your kind words. Brevity might make my question appear rhetorical but it is anything but that.

Let me elaborate: I'm referring to migration of an onprem system to the cloud, not signing up for a new cloud system. For years, the retailer's onprem system has been compliant with various industry certifications viz. PCI-DSS. Now, the retailer wishes to migrate all its systems including Retail ERP, Billing, Payments, and so on to the cloud. Given the scope of systems, the retailer may want to opt for a horizontal cloud platform like AWS or Azure instead of different vertical cloud platforms, one for ERP, another for payments, and so on. My question is: In that situation, is it possible for the retailer to ask Amazon / Microsoft to only make their payment system complaint with PCI-DSS?

In a broader sense, my question is equally applicable to other industries e.g. Banking, where different systems need to be compliant with different industry regulatory standards (e.g. OFAC) and industry certifications (e.g. PCI DSS). If a company moves all its systems - including payments - to the cloud, will the cloud provider provide OFAC compliance for System A, D and E and PCI-DSS compliance for System B, F"?

Michael Kyritsis - ACI - London 05 September, 2017, 19:17 0 likes

@Ketharaman: Migration of an onprem system to the cloud would give a retailer very few benefits, but the PCI DSS standards do cater for it in Appendix A “Additional PCI DSS Requirements for Shared Hosting Providers”. It contains this note: Even though a hosting provider may meet these requirements [separation of entities, and physical security measures], the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable. In answer to your question Amazon / Microsoft cannot make the retailer's payment system complaint with PCI-DSS, they can only provide a data centre the has the necessary requirements for the retailer to achieve PCI-DSS. In our experience the overwhelming majority of retailers have already moved, or are looking to move, to a SaaS solution because they don’t want to be burdened with the technical requirements of security, compliance with the card scheme mandates, etc.

@Rodney: my thoughts on what is now "fit for purpose" today is to separate CNP from card-present. Why is the same PAN embossed on the card, encoded in the magstripe, and in the CHIP? If they were 3 different numbers (all linked to the same account) a retailer could decide to accept EMV only (in those markets where it is already very well established) and any data passing through the payments system would be useless to fraudsters trying to create counterfeit cards or do fraudulent CNP transactions.

Rodney Farmer - Realtime Transactions - Little Rock 06 September, 2017, 07:12 1 like

Agreed.  In 2007, I was issued a MC branded pin-only-debit card by an Austrian bank.  The number on the face of the card is merely a reference number.  It has no magstripe and the chip contains the real number.  The point is that everything you mentioned is possible but requires the market players to adopt it including the consumer.  

Payment markets are set to fragment in its deployment of cards and other payment solutions.  Europe has/will regulate standards with the implementation of PSD2 and ultimately disintermediate cards altogether.  

Mobile will help us accomplish fit-for-purpose via instant issue, HCE, user driven card consoles, new security features like 2Factor, etc.  The thing to remember is from where we came.  Today security concerns and CNP e-comm are ubiquitous and card issuers have been unwilling to set limitations of use that would diminish the use of cards.  Top of wallet with interchange income is more important that fraud losses.  With thieves continuing to improve and payments becoming more competitive, the evolution will only continue.  

Improvement is, in this case, the enemy of Innovation.   

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 September, 2017, 08:36 1 like

@Michael Kyritsis:

Okay, I take that as a NO on public cloud!

This is the first time I'm hearing that Amazon / Microsoft can provide a datacenter. In that case, it's a no-brainer that a given company can do whatever it wants on its dedicated datacenter to make some systems compliant with X reg and some other systems compliant with Y certification. My question was specifically related to public cloud and was based on the assumption that Amazon / Microsoft will find datacenter to be the antithesis of their public cloud offering. 

There are others on Finextra who make a strong case for a company to move its existing systems to public cloud rather than replace them with SAAS e.g. https://www.finextra.com/blogs/fullblog.aspx?blogid=14425. So, I guess, it's different strokes for different folks!