The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.

The Payment Card Industry Security Standards Council (PCI SSC) is a global organisation that maintains, evolves and promotes PCI standards for the safety of cardholder data across the globe. The European Payments Council (EPC) has been one of its participating organisations since 2008. We interviewed Gert Huizinga, who sits on the PCI SSC Board of Advisors (BoA) on behalf of the EPC, to learn more about this organisation, its main priorities and activities and its link to the European market in particular.

First, could you briefly introduce the PCI SSC? 

The PCI SSC describes itself as a global standards body that brings together payments industry stakeholders to develop and drive the adoption of security standards and resources for secure payments worldwide.

The PCI SSC mission is to enhance global payment-account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. This supports the needs of the global payments industry.

The council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. 

PCI SSC is an organisation of entities from all around the world. How is Europe represented in PCI SSC and what is the role of the EPC in PCI SSC?

PCI SSC has a BoA that currently consists of 31 industry representatives, eight of which are from Europe (Accor, Barclays, EPC, European Association of Payment Service Providers for Merchants or EPSM, European Card Payment Association or ECPA, Ingenico, Worldpay, Schwarz Group). In the early days of the PCI SSC BoA, Europe was less represented, but today PCI SSC even has a Regional Head for Europe – Jeremy King – who enables smooth communication and cooperation with PCI SSC in Europe.

Sitting at each other’s tables gives us a mutual understanding of the specific needs and issues to be solved.

Furthermore, we regularly get the opportunity to give a European update to the PCI BoA members. Topics we covered over the last years: Regulations such as the revised Payment Services Directive (PSD2), Regulatory Technical Standards (RTS) for strong customer authentication (SCA) and the recently launched European Payments Initiative (EPI).

Early information is also obtained via PCI SSC BoA membership about new developments in the international security standardisation domain.

How prevalent are PCI standards in Europe?

EMV and PCI standards set global standards that are important for the cards and mobile payments industry. All point-of-sale terminals in Europe that accept international card schemes comply with these standards.

The SEPA Cards Standardisation Volume describes the specific European needs for security and harmonisation of functionalities in detail. Among other standards, the PCI Data Security Standard (PCI DSS) and PCI PIN Transaction Security (PTS) Standard were used as important reference documents. 

In the early days, each EU-domestic cards scheme had its own rules and standards. The global view and approach of PCI SSC helped the domestic schemes abandon their specific local standards with regard to security, which resulted in higher efficiency and lower cost. Furthermore, European insights and default high security also contributed to PCI SSC getting its standards to a higher level. 

Generally speaking, what are the current main priorities and activities of PCI SSC? 

The major update of the so-called PCI DSS is scheduled for this year, but the development of  the Software-based PIN-entry on Commercial Off-the-Shelf devices (SPoC) Standard is also of importance. This standard describes how consumer mobile devices (like mobile phones and tablets) can be converted into full service secure devices with the same functionality as the current well-known traditional PIN pads.

Another standard supported by the PCI SSC and used commonly throughout Europe is the PCI Point-to-Point Encryption Standard. This enables cardholder data and Primary Account Number (PAN) data to be securely encrypted at the Point of Interaction (POI), thus making it of no value to the criminal. 

Altogether, PCI SSC manages and runs 15 different standards aimed at protecting cardholder data across the entire payment lifecycle from card production and personalisation onwards.

These standards are continually being reviewed along with new technology and directions within the payments sector.

How do you see payment data security evolving in the next few years in Europe, and what will be the main challenges?

It is important to realise that Europe has a very good payment security track record: Chip and Pin is prevalent, two-factor authentication for ecommerce has recently been implemented and tokenisation is getting off the ground. In the USA, magstripe, signature and paper-based transactions are still prominently used, but this will rapidly change in the years to come. 

This higher base-line security gives room to focus less on purely card-data protection and more on the whole payment lifecycle.

Payments are undergoing significant changes as new techniques and technology are introduced. PCI SSC is updating its software standards through the introduction of the new Software Security Framework as well as developments in mobile-based payments. 

We are seeing many new entities emerge, especially given FinTech’s move into the payments space. Continued cooperation with key European bodies and the PCI SSC is essential to ensure these new developments do not impact or reduce security.