Hardware and software need PCI's standards more than ever

There’s a good reason why payments hardware has stood the test of time. It’s secure. It meets the robust standards required for secure payment transaction processing. But it’s also cumbersome. It creates a bottleneck that counters the rest of the experience the retailer has worked so hard to improve.

Using mobile phones for payments is a great advancement. But generally speaking, mobile phones are not secure. They have secure elements within them, but the fragmented nature of phone manufacturing makes securing them to perform things like payments, difficult.

The Payment Card Industry Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. It plays a critical role in ensuring the solutions deployed to market aren’t developed by anyone with a laptop and coding skills, and that they meet the robust and stringent standards required to deliver payments securely.

Achieving PCI certification is much more than just having your solution adhere to its standards. It involves every aspect of the company, from policies and procedures to having the right skillsets, down to how you employ and manage people. PCI is something that is instilled through the fabric of the entire company — which means you need to have a certain degree of business maturity and capital and is why it is so difficult to achieve.

For many years, you could not deploy any payment solution without it being PCI certified. This was when all payment solutions were hardware based and had remained relatively unchanged for some time. It got more interesting when the playing field shifts into other dimensions, such as with software-based payment solutions, and there was no existing PCI standard.

And as is often the case with technology innovation, it leaps ahead of standards and regulations and we find ourselves in uncharted waters. But also, the market’s response to such innovations means there is pressure to have these new solutions deployed and adding value. So, with software-based payments, when we see scheme waivers being issued it generally means there are solutions in market that probably don’t pass muster when it comes to PCI standards.

This is an important point because there are solutions in the market under scheme waiver that may not have been built with a robust enough foundation of security. In a world with levels of fraud we’ve never seen before, any payments solutions should be able to withstand the rigorr of PCI standards, irrespective of whether they have to have them right now, or not. And any business looking for a software-based payment solution to help create innovative and seamless end-to-end customer experiences should have the security of the solutions they are considering at the top of their list.

And this brings me to the technology. Innovating in the payment solutions space is not easy — there are many aspects that impact successful adoption. Consumer education and trust is a biggie. Consumers today want and embrace new technology if it makes their lives better, but when it comes to things like making a payment, they need to feel secure.

There’s no question that the world is experiencing a digital revolution. The power has shifted to the consumer, who (for some time now) is dictating how they want their experiences with brands to be. Customer experience is table stakes, and these stakes have never been higher.

A quick Google search on payments will serve up myriad examples ranging from how COVID has accelerated the adoption of contactless and the rise of digital technologies, but also how financial crime is on the rise.

Visa’s recent "Back to business" study notes that the number one area of tech investment in 2021 will be in payment security and fraud management software, with 47% of small businesses believing this is a critical area of investment to meet consumer needs. As fraudsters ramp up their activities and the cost of acquiring stolen IDs on the dark web decreases due to the sheer volume available now for purchase, we will see an even greater surge in fraud. Particularly as sectors such as travel reopen and start processing large volumes of transactions.

According to the 2020 Salesforce State of the Connected Consumer report, 84% of consumers say the experience a company provides is as important as its goods and services, and 54% say companies need to transform how they engage with customers.

If we look at how this applies to the payment aspect of the customer experience, this is an area that has not changed a lot, until recently. For example, in a physical retail store there are technologies that can improve almost every aspect of the shopping experience, yet customers often still need to line up at the front of the store to pay using hardware that is literally fixed to a counter.

Some parts of the world have been using debit cards with PINs since the mid-1980s. PIN is a universally trusted and familiar part of the payment process. Being “something you know," a PIN cannot be stolen or hacked, which makes it the ideal way to verify a payment transaction. The introduction of PIN in card-present environments significantly lowered losses from fraudulent use of credit and debit cards and it brings lots of other benefits.

Software-based payments technology has developed a way to utilize PIN as the gold standard in authentication. In doing so, the best of both worlds can be achieved — payments solutions that can be shifted to mobile devices and offer up unparalleled opportunities to improve the customer experience, which are anchored by a process that is universally familiar and trusted. But, not all software-based payments solutions are equal and my advice to any organization looking at deploying this type of technology is to really understand exactly what it is (and isn’t) before you sign on the dotted line.