The PCI Council Plans More Rule Flexibility As It Eyes a Major Revision of Its Flagship Standard

Published by Digital Transactions
Peter Lucas 
September 19, 2019

Recognizing there is no one-one-size-fits-all approach to data security, the PCI Security Standards Council continues to evolve its requirements toward a goal of greater flexibility for payments providers. The new approach comes as the Council contemplates a new version of its core security standard.

Gathering in Vancouver, B.C., this week at its annual North America Community Meeting, the rules-setting body for electronic-payments security discussed topics that included the need for greater input from payments companies and development of security standards for contactless payments made on mobile devices.

To attract more industry input, the Council has changed the methodology used to develop a standard. Instead of soliciting industry input after an initial draft of a new standard has been written, the PCI Council will ask for feedback before drafting a new standard. Then, it will write the standard and ask for more feedback before publishing a final version. 

One change to make the public-comment process more meaningful is that the Council will publish notices to solicit industry feedback 30 days in advance of the start date. 

“Payment-data security is changing and we want to make sure that the PCI standards going forward are adaptable with the new technologies being deployed in the payment industry,” Troy Leach, chief technology officer for the Wakefield, Mass.-based Council, tells Digital Transactions News. “At the same time, we want to make (industry) feedback more transparent.”

One technology for which the PCI Council is preparing new standards is contactless payments initiated using a mobile device.  

After years of fits and starts, contactless technology is gaining momentum in the United States thanks to ongoing adoption by mass-transit agencies. A rollout of open-loop contactless fare systems this year by New York’s Metropolitan Transportation Authority (MTA) and the Miami-Dade County Department of Transportation and Public Works are expected to significantly boost U.S. contactless volume. New York’s MTA reached 1 million taps in August after launching May 31. The Miami-Dade DTPW system has more than 6 million monthly bus and train riders. 

Many contactless transactions, especially in transit, are made with smart phones. Mobile-based contactless apps typically include a tap-and-go feature within the device making the form factor perfect for quickly moving commuters through a turnstile. Both the MTA and Miami-Dade DTPW fare systems support mobile devices. 

“Smart phones are becoming a bigger form factor in payments, especially for transactions in quick-moving environments such as transit,” Leach says.

The PCI Council’s contactless-payments standard is scheduled to be published by year’s end, after which additional commentary will be solicited before the final standard is published.

In addition, the Council is planning to make major revisions to its flagship PCI data-security standard 4.0, which it has not revised in a significant way for about six years, Leach says. The new version of the security standard, which is the standard from which all other PCI Council security rules are derived, will be open for review in October.

“The plan is to make the standard more dynamic so that this standard and all other standards that evolve from it will be adaptable to the next generation of payment technologies,” says Leach.

The Council was founded in 2006 by American Express Co., Discover Financial Services, JCB International, Mastercard Inc., and Visa Inc., which collectively govern the organization.