Apple Pay and PCI Compliance

November 20, 2014, Matt Getzelman, PCI Practice Director

A year ago, many retail cybersecurity discussions began and ended with PCI compliance. Today, after a gut-wrenching 10 months of data breaches stretching from mom-and-pop shops to category-leading brands, the discussions are broader, the risks are better understood and every link in the customer data chain is coming under newfound scrutiny.

The changed environment is obvious in the rollout of the new token-based Apple Pay system. On the one hand, this is simply an evolutionary step in the mobile payments space. It’s a big step, because when Apple makes a move into a new area, it typically becomes a massive driver of consumer pick-up and use. But mobile payments have been progressing for years and Apple is simply entering into territory that has already been pioneered by many others.

On the other hand, the specific way in which Apple has designed its new system to enhance data security and consumer privacy resonates with the market in a way that was unthinkable before the world changed. Mobile payments used to be about convenience – now they’re about security. (Although convenience will, in the end, determine whether the system takes off.)

Apple Pay will enhance security, at least for the transactions that are directed through it. The multiple layers of protection based on fingerprint identification, a dedicated chip to hold payment information, and a single-use payment “token” offer security that’s light years beyond the 1970s-era magnetic stripe that’s still used today for the vast majority of card-present transactions.

However, fraudsters adapt quickly to new technologies. When European card providers switched to more secure EMV / chip-and-pin systems, fraud quickly moved online, where the new technology provided no advantage.

At least in the short and medium terms, Apple Pay will not be The Solution to the data security challenges the retail and financial services industries are facing. If adoption grows, the number of transactions going through older technologies will decrease. On net, this will improve the security of the payments ecosystem.

However, the chicken/egg issue of consumer/merchant adoption means that retailers who weren’t part of the initial announcement can take a “wait and see” approach before investing in expensive new hardware to accept NFC-based payments. The most theoretically secure payment system in the world isn’t much help when consumers can’t actually use it.

For information security professionals, awareness of Apple Pay’s potential shortcomings is actually a good thing. We understand there are no silver-bullet solutions to achieving data security. After years of myopic focus on PCI compliance and EMV technology, it’s good that this same understanding is spreading out to consumers and up to the board room.

As video of the first transactions with Apple Pay show up on the evening news, retail CEOs have some serious discussions on their hands. Does the enhanced security of some transactions justify the costs of broader rollout? Can reduced risks and potentially lower transaction fees outweigh the loss of a treasure trove of customer payment information that powers loyalty programs and targeted marketing efforts?

The Year of the Data Breach has an impact on all these discussions. The days when security could be delegated to IT and forgotten are long gone. Cybersecurity now has a material impact on day-to-day operations, brand value and customer trust. If a better option becomes available, how long can a merchant decline to offer it?

Every organization needs to take a holistic approach to managing IT risk. That approach starts with basic questions like: What information do we have? Where is it? Who’s responsible for protecting it? And, in the worst case scenario, what happens if it’s compromised?

Apple Pay is an exciting new development and holds significant promise, but the industry is still going to need the PCI DSS, robust security programs and scope-reducing technologies like point-to-point encryption to protect traditional cards. Fraud always finds a way.

Matt Getzelman


Matt Getzelman — PCI Practice Director

Recent Posts

Post Topics