Payments paradigm shift

Karl Steinkamp, Director, PCI Product and Quality Assurance

How cryptocurrency will reduce enterprise compliance burden

Crypto assets have been around for over a decade, and with the recent Coinbase IPO, we believe we are well past the point of calling this a “passing fad.” In fact, we believe that crypto assets — particularly bitcoin — have now passed the tipping point from being considered an unconventional investment vehicle to an international payment system.

The biggest barrier to mainstream market entry and widespread adoption for the crypto asset (soon to be cryptocurrency) has been the limited use surrounding complexities in acquiring and spending it, primarily as an investment vehicle. Past limitations and skepticism aside, however, recent and rising trends point toward a crypto market expansion. Global merchants and Payment Service Providers (PSPs) are now allowing crypto transactions and blockchain technology among central banks. Examples include:

  • Visa currently is, and Mastercard will shortly be, enabling buying, selling, and back-end settlement with bitcoin across all their global merchant accounts.
  • Major retailers now supporting bitcoin for payments include the Oakland Athletics, Home Depot, Starbucks, Whole Foods, Square, PayPal, and Overstock.
  • FIS just released the first solution, in partnership with NYDIG, to enable banking institutions to offer its customers the opportunity to buy, sell, and hold bitcoin in regular consumer accounts, thus enabling banks to drive fee income with it.
  • At least 80% of the world’s central banks are planning to, or are already developing, central bank digital currencies (CBDCs) to complement — and eventually replace — traditional fiat money, such as USD, GBP, etc. These initiatives are accelerating with intensity.
  • Applications that allow merchants to take bitcoin as payment in lieu of credit/debit cards or cash are proliferating.
  • Merchant banks that underwrite loans and the acquirers that process the payments are integrating bitcoin into their systems.
  • PSPs that now accept crypto are passing payments along in their native form to card companies or converting and passing them along as local fiat currency.
  • Further consumer adoption around the world will expand as crypto assets are reclassified as currency, although this isn’t required for adoption.
  • Driven by the diaspora of remote workers, operations, and cloud-supported supply chains, companies are starting to make payroll and pay contractors with crypto instead of local fiat currency.

These inexorable movements reveal the fact that banks, merchants, and service providers will be handling far fewer credit/debit transactions moving forward. This will likely reduce reliance on incumbent standards like PCI DSS, which in turn will reduce overall compliance burdens on the enterprise. By removing the vulnerability of payment card data, and with the ability to secure transactions using blockchain-based technologies, the focus moves to assuring security of stored financial data within the possession of each buyer/seller organization.

Emerging strategies and frameworks

In addition to the above, companies will need to learn how to handle cryptocurrency wallets, secure key storage, audit-log creation and maintenance, sanitization strategies, and adherence to emerging security frameworks like Cryptocurrency Security Standard (CCSS). The open-source CCSS, though designed to complement such standards as ISO 27001 and PCI DSS, spells the beginning of a market share shift away from the traditional payment card sector. In the absence of card data, compliance burdens will not go away. They will, however, diminish dramatically.

The bottom line is that cryptocurrencies are shedding their low liquidity and regulatory uncertainty and moving inevitably forward toward viable means of exchange.

In subsequent blog posts, we’ll outline what Coalfire is focusing on and what our clients need to know in relation to crypto and overall corporate security posture. We’ll take a deeper look into compliance and regulatory trends and help interpret new security strategies with an eye on shifting attack surfaces and threat scenarios.

Although this currency revolution will not happen overnight, retailers and card brands need to keep up. Early adopters are adjusting to digital currency integrations on their mobile devices, and conventional wisdom about passing crypto fads is fading fast.

Given this momentum and the speed of money, we’re advising our clients to adapt cybersecurity programs and controls to complement, and to account for, the move away from traditional payment strategies focused solely on protecting card data.

Although developments are happening slowly, they’re happening surely and fast enough that all organizations need to begin reallocating mission-critical risk management and compliance resources starting today.

Karl Steinkamp

Author

Karl Steinkamp — Director, PCI Product and Quality Assurance

Top