The news in the press recently about the Global Payments breach, closely followed by the Heartland court cases being finally settled are both USA centric it is true, and for the non-payments industry layman it would appear that the problem is primarily based in the USA.
It would be right to think that there is a problem of payments security in the USA, but where the argument falls short is that it assumes there is not the same or at least a similar problem elsewhere in the world.
PCI DSS as a set of industry standards is adopted across the majority of the world, with only a handful of countries as notable exceptions. One key distinction between the different countries is the varying laws around disclosure, i.e. Some force companies to publically report it when they have been found in breach of the standards.
PCI DSS was established by the card schemes, in an attempt to police the payments world to ensure security of the ‘man on the streets’ credit card details when he pays for his goods and services. In the USA, the central government states that breaches must be reported publically, at present this is not true in Europe.
The USA has many issues within its payments culture, not least the mag strip and the slow adoption of EMV chip and PIN, but one positive (in my humble opinion) is that the problem is publicized and talked about. As an aside it is also important to note that if PCI protocols had not been in place, instances such as the Global Payments breach would not have been picked up and resolved as quickly as they were!
When people know there is a problem, it develops a culture of solving issues, or at the very least being very aware of the consequences ($3m had to hurt Heartland).
European businesses, which many argue have the safer payments hardware especially with EMV chip and PIN, is not obliged to talk openly about payments breaches, and yes from a protectionist approach this is better for businesses who do not have to admit publically when they are in a payments mess.
This attitude, however, is a serious problem be it through apathy or ignorance of payments security as it gives off the impression that there is no problem in Europe. The reality is that where there are payments taken there will very likely be attacks and potential breaches happening every day, we simply don’t hear about them.
The powers that be in Europe agree and the impending introduction of the new data security act in 2014 will see businesses, be they merchants, processors, PSP’s or any other chain in the payments network, forced to report breaches within 24hrs, amongst other things. PCI DSS has done a great job and the impact of the card schemes and the central government working together hopefully will create a culture of needing to be secure, and all parties involved going out of their way to make sure they are secure and not just compliant. Roll on 2014…
The news in the press recently about the Global Payments breach, closely followed by the Heartland court cases being finally settled are both USA centric it is true, and for the non-payments industry layman it would appear that the problem is primarily based in the USA.
It would be right to think that there is a problem of payments security in the USA, but where the argument falls short is that it assumes there is not the same or at least a similar problem elsewhere in the world.
PCI DSS as a set of industry standards is adopted across the majority of the world, with only a handful of countries as notable exceptions. One key distinction between the different countries is the varying laws around disclosure, i.e. Some force companies to publically report it when they have been found in breach of the standards.
PCI DSS was established by the card schemes, in an attempt to police the payments world to ensure security of the ‘man on the streets’ credit card details when he pays for his goods and services. In the USA, the central government states that breaches must be reported publically, at present this is not true in Europe.
The USA has many issues within its payments culture, not least the mag strip and the slow adoption of EMV chip and PIN, but one positive (in my humble opinion) is that the problem is publicized and talked about. As an aside it is also important to note that if PCI protocols had not been in place, instances such as the Global Payments breach would not have been picked up and resolved as quickly as they were!
When people know there is a problem, it develops a culture of solving issues, or at the very least being very aware of the consequences ($3m had to hurt Heartland).
European businesses, which many argue have the safer payments hardware especially with EMV chip and PIN, is not obliged to talk openly about payments breaches, and yes from a protectionist approach this is better for businesses who do not have to admit publically when they are in a payments mess.
This attitude, however, is a serious problem be it through apathy or ignorance of payments security as it gives off the impression that there is no problem in Europe. The reality is that where there are payments taken there will very likely be attacks and potential breaches happening every day, we simply don’t hear about them.
The powers that be in Europe agree and the impending introduction of the new data security act in 2014 will see businesses, be they merchants, processors, PSP’s or any other chain in the payments network, forced to report breaches within 24hrs, amongst other things. PCI DSS has done a great job and the impact of the card schemes and the central government working together hopefully will create a culture of needing to be secure, and all parties involved going out of their way to make sure they are secure and not just compliant. Roll on 2014…
The news in the press recently about the Global Payments breach, closely followed by the Heartland court cases being finally settled are both USA centric it is true, and for the non-payments industry layman it would appear that the problem is primarily based in the USA.
It would be right to think that there is a problem of payments security in the USA, but where the argument falls short is that it assumes there is not the same or at least a similar problem elsewhere in the world.
PCI DSS as a set of industry standards is adopted across the majority of the world, with only a handful of countries as notable exceptions. One key distinction between the different countries is the varying laws around disclosure, i.e. Some force companies to publically report it when they have been found in breach of the standards.
PCI DSS was established by the card schemes, in an attempt to police the payments world to ensure security of the ‘man on the streets’ credit card details when he pays for his goods and services. In the USA, the central government states that breaches must be reported publically, at present this is not true in Europe.
The USA has many issues within its payments culture, not least the mag strip and the slow adoption of EMV chip and PIN, but one positive (in my humble opinion) is that the problem is publicized and talked about. As an aside it is also important to note that if PCI protocols had not been in place, instances such as the Global Payments breach would not have been picked up and resolved as quickly as they were!
When people know there is a problem, it develops a culture of solving issues, or at the very least being very aware of the consequences ($3m had to hurt Heartland).
European businesses, which many argue have the safer payments hardware especially with EMV chip and PIN, is not obliged to talk openly about payments breaches, and yes from a protectionist approach this is better for businesses who do not have to admit publically when they are in a payments mess.
This attitude, however, is a serious problem be it through apathy or ignorance of payments security as it gives off the impression that there is no problem in Europe. The reality is that where there are payments taken there will very likely be attacks and potential breaches happening every day, we simply don’t hear about them.
The powers that be in Europe agree and the impending introduction of the new data security act in 2014 will see businesses, be they merchants, processors, PSP’s or any other chain in the payments network, forced to report breaches within 24hrs, amongst other things. PCI DSS has done a great job and the impact of the card schemes and the central government working together hopefully will create a culture of needing to be secure, and all parties involved going out of their way to make sure they are secure and not just compliant. Roll on 2014…