Industry Associations call for PCI Overhaul
Several industry associations are working to form a coalition to address payment security issues. Their goal is to provide their members with education and support for compliance in the short-term, and in the long term push for technology innovation that will create a more secure payment platform and replace the current system.
Those involved include the National Restaurant Association (NRA), the National Retail Association, and the National Association of Convenience and Fuel Retailing, along with the Retail Solution Providers Association (RSPA, a membership group for technology vendors and solution providers).
Hospitality Technology gets input from both the NRA and the RSPA on the objectives of the coalition. Here are highlights from the interviews. For the full report, download the 2011 PCI in Hospitality Report.
HT: Dave, many argue that card payment technology is a flawed system. What are your thoughts?
Dave Matthews, SVP and CIO for the National Restaurant Association: The National Restaurant Association believes the current payment system, based on mag stripe and signature authorization, uses old technology that is vulnerable to hackers who have developed expertise in stealing records. The system puts the burden of liability and risk mitigation on the restaurateur, the least technologically prepared point of the payment processing system.
There have been few improvements in the system since it was introduced, except for the directive to not store card data on the POS or backup computer systems and the development of point-to-point encryption to transmit card information securely. The merchant is still responsible for maintaining and monitoring technology platforms developed by others who profit from the system with little or no risk.
Further, though there have been advances such as encryption, the integration of these improved security measures are not universally available and are an added cost to the restaurateur.
HT: Joe, what can you tell us about the association coalition? And what is the RSPA, for its part, doing to push for a long-term solution to payment security challenges?
Joe Finizio, President & CEO, Retail Solution Providers Association: Payment security is a big problem, and in the scope of things, RSPA’s members are a small piece of the puzzle. That’s why we have worked with other industry associations to build a large voice by establishing an association coalition for transaction data security. This group has three main initiatives:
- Legislative: to bring Capitol Hill up to speed on the problem so that we can potentially transition the liability for the problem to the owners of the product.
- Technology Road Map: As of today, there is no clear technology road map. Is it EMV (EuroPay, Mastercard, Visa, the global standard for card security and interoperability), tokenization, point-to-point encryption, or even NFC on Smartphone? We need clear direction so that merchants and technology providers do not have to spend dollars and resources developing, purchasing and implementing a short-term solution. Over the long term, it’s not productive for anyone.
- Education: We are collecting the best practices, recommendations, and education for all retail technology providers and merchants to create a Unified Data Security Resource Center. As a side note, RSPA makes its PCI Wise education available for our members and merchants at no cost.
At present, there is no leadership among the card brands to solve the problem. The PCI Council is positioning itself as a standards organization, not an organization established to fix the problem. The problem is confusing for the users of the system; there are the PCI Standards, then each card brand’s operating procedures, which are all open to interpretation. The problem will not be resolved without leadership, which is what we are attempting to provide with the association coalition.
Until then, to protect their networks, merchants should follow PCI’s guidelines. It’s a good start. Make sure that PCI Compliance and good data security practices are a lifestyle, not a one-time event.
HT: Dave, what is the NRA doing to push for the complete overhaul of payment in the U.S.?
DM: The NRA believes the data security compliance standards promoted by the PCI Council and the card brands and issuing banks are very complex—too expensive to maintain and beyond the resources and skill set of many of our members. These standards must be simplified to the basic security components necessary to protect consumer information.
More importantly, the payment industry must develop a technology roadmap that addresses new technology solutions such as tokenization and point-to-point encryption and addresses the challenges of existing systems and growing mobile payment systems. The new EMV/NFC initiative launched by Visa will go a long way to eliminate the mag stripe and transfer the liability away from restaurants that make the investment in the new readers. It's not an overnight solution, but it’s a good solution.
Finally, the liability resulting from data breaches and other criminal activity must be removed from the sole responsibility of the restaurateur and shared throughout the system, including those who developed the platform. Failure to develop technology solutions to address the flawed system by the banking and payment card industries benefiting most, the Association will explore options to raise the profile of the issue, and look to engage policymakers to seek solution that properly share the risk and responsibility.