By Dale S. Laszig
The payments journey is a story of discovery, innovation and progress. For individual agents, ISOs, processors and security providers, the journey has not always been smooth; close encounters with bad actors led to stricter measures designed to mitigate risk and protect against threats. Through the years, these remedial approaches to security have evolved from recommended best practices to richly interactive discussions among all industry stakeholders.
As payments experts have noted, global standard bodies constantly pivot in response to emerging technologies and changing consumer and merchant behaviors. With each new payment solution, experts find ways to leverage the technology itself to protect it from harm. In this story, The Green Sheet interviews payments industry standard bearers, experts and architects who work across regions, industries and disciplines to shape secure commerce.
Emma Sutcliffe, senior vice president, standards officer at the PCI Security Standards Council (PCI SSC), recalled a vibrant discussion period in the months leading to the official release of PCI DSS version 4.0. "What made the feedback so valuable is that it represented a broad range of our industry and covered a lot of different types of organizations: merchant companies, financial institutions, acquiring organizations, service providers and vendors," she said. "The feedback came in from North America, Canada, Central America region and also Europe and Asia Pacific."
Sutcliffe said the council was pleased by the volume and diversity of commentary. She added that Lauren Holloway, director of data security standards at the PCI SSC, and their team read every piece of feedback—all 7,000 submissions—during the PCI DSS v4.0 Request for Comment period.
"PCI DSS Requirement 8, which concerns multifactor authentication (MFA), passwords and authentication systems, received the most comments," Sutcliffe said. Questions included where to apply MFA, what combination of letters and numerals constitute strong passwords, how frequently passwords need to be updated and how authentication requirements are evolving in alignment with other robust industry standards.
Sutcliffe pointed out that PCI DSS v4.0 gives qualified organizations more flexibility in how they achieve security objectives. "A security objective may apply differently to different types of payment environments," she said. "If it's a new method of processing payment information, this approach helps support organizations on the cutting edge of that change as they introduce new, innovative technologies or methods to address threats." Sutcliffe additionally noted PCI DSS v3.2.1's specified guidelines remain in place for organizations that require them. "In essence, the council provides flexibility to mature organizations that can perform a thorough risk analysis of their environment to meet security objectives whilst also supporting the organization that prefers clear guidelines," she said.
Sutcliffe described PCI DSS v3.2.1 as a mature, robust security standard that protects transitioning companies. A two-year window for migrating to the new standard, beginning in March 2022 and ending in March 2024, can be used to update infrastructure while phasing in PCI DSS v4.0, she stated.
"Because of these structural changes, we wanted to give organizations enough time to thoroughly familiarize themselves with the changes, not just the new requirements but all the other changes in the standard as well," Sutcliffe said. "This gives them extra time to update their processes, technologies and methods to meet security objectives." Additional information about PCI DSS is available at the PCI Security Standards document library: www.pcisecuritystandards.org/document_library.
Andrew Shikiar is executive director and chief marketing officer at the FIDO Alliance, a global standards association focused on strengthening and simplifying authentication by using open, scalable, interoperable methodologies that reduce reliance on passwords. Reflecting on FIDO's journey, which began in 2012, Shikiar said FIDO's U.S. and international working groups collaborate on actionable approaches to implementation and improving the user experience.
"In the 10th year since our public launch, we remain laser focused on our initial vision of creating open standards for simpler, stronger user authentication based on asymmetric public key cryptography," Shikiar said. "We're replacing knowledge-based authentication, such as passwords, with possession-based authentication, such as a security key or connected device."
FIDO is privacy preserving, user-friendly, possession-based authentication, and recent conversations have centered on usability, Shikiar stated, adding that this shows the market is maturing, and the standard is moving from whiteboard discussions to real-world use cases. He then highlighted proposed changes to FIDO's specifications.
Shikiar noted that MFA is widely used to step up security, but fraudsters can intercept one-time passwords (OTPs) and redirect unwitting end-users to phishing sites. Proposed updates to FIDO ecommerce WebAuthn specs recommend Bluetooth communications as a way to block phishing attempts during authentication. This update would facilitate stronger security without requiring users to carry specialized hardware security keys, Shikiar stated. Multi-device FIDO credentials would allow users to use one phishing-resistant authentication credential across a range of personal devices, such as phones, laptops, tablets and other connected platforms.
"Asking users to re-enroll each new device is an impediment to deployment and usability," Shikiar said. "We want to give relying parties the option of making a private key immediately available to users with a password-manager-like experience. Instead of automatically issuing a password, your password manager would issue a FIDO key. With this key, you could walk up to any new device and be recognized immediately, in a more secure way than passwords."
"If you look at why passwords are so successful, even push notifications, one-time passwords, it's because they're ubiquitous," Shikiar said. "Anyone can enter a password. It's not the best or easiest thing to do effectively, but anyone can do it. We need something equally ubiquitous to replace passwords, and we've made great progress with FIDO security built into every device."
On a recent family vacation, Shikiar found it necessary to create a username and password with each hotel and restaurant reservation on sites, he noted, that weren't even secure or high value. "Imagine a scenario where I could rely on a platform to log me into these things," he said. "Enabling this vision will start to minimize reliance on passwords for the user, and even more importantly, for the service provider."
For additional information on recent FIDO Alliance updates and use cases, visit https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases.pdf.
nexo is a global association dedicated to advancing payments interoperability by removing barriers to global acceptance. Headquartered in Brussels, the organization works across the payments ecosystem with acceptors, processors, payment schemes, solution providers and vendors. The association recently enhanced its nexo Implementation Specification (NIS) v4.0, a set of tools and guidelines designed to expedite development, integrations and deployment.
Jacques Soussana, secretary-general at nexo, said that interoperability is crucial for POS terminals. "Each card scheme usually requires its own software and hardware component, known as a kernel, within the payment terminal to support a successful transaction," he said in a statement. "For terminal manufacturers, merchants and banks, if you want to accept and support several payment cards, this can quickly become complex and expensive, sometimes requiring multiple point of sale terminals at the checkout."
Bohdan Myroniw, chief strategic officer at Amadis, a global software editing and development firm, said nexo standards streamline global deployments. "Standards like nexo create a level playing field," he said. "By sharing knowledge and best practices, developers no longer have to worry about how to do this or that. We can focus on the customer experience because payments is contained and where it should be and not a magical mystery."
Emmanuel Haydont, co-founder, acting CEO and business director at Amadis, agreed, stating that nexo is gaining ground. "Fiserv, ACI Worldwide, Ingenico, Verifone, FIS and other leading brands are evaluating nexo as a way to become more efficient," he said. "Instead of adding 20 different hosts in North America, 12 hosts in Australia and 2 more in Europe, nexo is universal, extremely modern and accelerates certifications that would otherwise take two years to complete."
Traditional models and standards are catching up with user behavior, Myroniw noted. Who would have thought three years ago, he pondered, that contactless EMV would become so popular with global demand for tap and go greater than ever before?
"Europe has had more experience with contactless but we're reaching ubiquity in North America," he said. "EMV, nexo and ISO 20022 are colliding to create new frictionless points of interaction for contactless payments. Ultimately, three principles are guiding retailers: (1) how can I attract a new customer? (2) How can I increase the spend from my customers? and (3) how can I reduce my costs? And in between these three principles, there are a lot of cracks."
Some cracks have to do with how retailers can make customer relationships sticky, and others have to do with how they can create a better experience, Myroniw said, adding that he and colleagues have had great discussions with merchants who want to make their customer experience unique, and these are complex enterprises that can't easily turn on a dime.
As payments professionals, we use standards and card brand initiatives, such as tap-to-phone for commercial off-the-shelf devices (COTS), to help partners and clients differentiate, Myroniw noted. "In the world of IoT, a COTS device could be a smartphone, scanner, tablet or the dashboard in your pickup truck," he said.
"It could be the back of an airplane seat; you just add an NFC circuit to these Android-based points of interaction." For additional information on nexo, visit https://www.nexo-standards.org/.
Adam Perella, manager at Schellman, noted that global standards are ever-changing. "When PCI DSS was first written, everything was on premise on an actual server rack," he said. "With migration to cloud environments, we assess each technology and interface that data flows through."
Ashish Jain, chief product officer at Arkose Labs, reflected on the journey from an industrial-led to information-based economy. "This brings us to today's decision economy," he said. "A crest in time when companies use data to set strategy, hire, innovate and battle online fraudsters."
Myroniw agreed, stating that the pace of commerce is accelerating. "In my world of COTS and legacy devices, regulatory requirements can bog us down," he said. "One thing COVID taught us is standards have to move faster than ever before."
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next