COMMENTARY: A Look at the Top 4 Security Trends for 2017 in the Payments Industry
After years of card-data breaches and other bad news, four very encouraging trends are emerging that bode well for better security. Here’s a quick look at all four:
Integrators are taking the QIR program seriously. When the PCI Security Standards Council and Visa Inc. initially released the Qualified Integrator and Reseller (QIR) certification program in 2015, it was welcomed with little to no enthusiasm. Many thought the short timeline for QIR certification was unfair; most did not take it seriously. The initial due date overlapped with the EMV liability shift, and resources were strained just to keep up with EMV certifications.
In fact, only 73 companies completed and passed the QIR program in 2015 with the original due date of Jan. 1, 2016. The PCI Council and Visa took quick notice and moved the due date to Jan. 31, 2017, when, under Visa rules, acquirers had to begin using only QIRs for integration work with small merchants.
In 2016, with the help of associations such as the Retail Service Providers Association (RSPA), which helped promote QIR awareness, and companies such as Vantiv Inc., which helped sponsor QIR certifications, many more companies jumped on the QIR bandwagon. In fact, 233 U.S. companies received their QIR certification in 2016.
This trend is continuing to grow. Another 51 companies have passed their certification so far in 2017, and it is expected that the number of companies to pass this certification will rise in the coming years, which is good news since it doesn’t look like PCI will extend the due date again. However, with an estimated 5,000 ISVs and VARs in the U.S. alone, there is still have a long way to go.
More payment solutions are seeking P2PE validation. When the PCI Point-to-Point Encryption (P2PE) certification requirements were first released three years ago, the process was very costly and somewhat ambiguous. This is probably why, until recently, only a few companies in the U.S. pursued and completed their PCI P2PE validation.
A little over a year ago, the PCI Council released its new certification requirements with more transparent rules. It also allowed companies to certify in the individual components that they participate in in the P2PE chain. For example, key-injection facilities (KIFs) are allowed to obtain certification for the key-injection, key-management, and device-tracking services required by PCI for a P2PE- validated solution. One such company to explore this was ScanSource, which was part of one of the initial validated solutions in the U.S., completed its PCI validation in January as a standalone PCI P2PE-validated KIF. This allows any gateway to use ScanSource’s key-injection services.
The demand for a PCI-certified P2PE solution is also on the rise. Since merchants can’t be out of scope or obtain reduced scope status without a PCI-validated solution for credit card processing, more merchants are putting the PCI validation in their requests for proposals to reduce the risks and costs of compliance associated with having credit card data in their network. For these reasons, more payment providers will pursue their P2PE certification in 2017, keeping qualified security assessors in heavy demand.
EMV certifications are faster and more robust. In 2015, EMV certifications came at a snail’s pace, and most were not released until after the liability shift due date. The few that were released were basic, excluded debit support, and only included one processor. Some of the EMV upgrades even broke the transaction process and had to be turned off shortly after being implemented.
Now that the initial certifications are complete and everyone has been trained on how to get EMV-certified, we are seeing more merchants with EMV fully deployed.
The EMV solutions are also more complex now, including debit, near-field communication, and a shorter transaction time, as well as being available for more intricate environments, such as pay at the table and health care. Certified solutions are being released much faster because of changes made around “faster EMV” and Visa’s allowing acquirers to self-certify their merchants’ solutions. This increased pace for EMV-certified solutions will continue well into 2019 now that many have figured out the EMV puzzle that until recently plagued the payment industry.
End users are willing to pay for security. Data breaches, credit card fraud, and cyber attacks are the new normal. Gone is the shock that we felt when we first heard of the TJX Cos. Inc. and Target Corp. breaches. Every other day, we hear of yet another breach, shrug our shoulders and move along. These days, it isn’t about if a merchant will be breached but a matter of when. For that reason, there are more and more services that help meet PCI compliance.
Many resellers have developed a software-as-a-service solution for PCI services for things such as patch management, antivirus monitoring, password management, and terminal management. Merchants are willing to outsource these services instead of developing and maintaining the tools to stay in PCI compliance. Additionally, merchants are also willing to invest in PCI security in order to protect themselves. In many cases, merchants are even electing to outsource these services as an added layer of protection.