Three Takeaways from PCI London 2018
The latest PCI London event was held on July 5th, 2018 and featured a number of payment card industry experts along with a host of vendors providing PCI compliance and security solutions. TokenEx had the privilege of participating as an Education Seminar Sponsor, affording us the opportunity to speak at two seminars, and be introduced to many interesting people, ideas, and developments in the PCI space. Below are a few key takeaways from our experience at the event.
GDPR Uncertainty Continues
The General Data Protection Regulation (GDPR) was mentioned in almost every session at PCI London. There is still a lot of uncertainty around the compliance obligations that the GDPR creates, as well as how to meet them. Most companies attending PCI London appeared to have GDPR compliance strategies in place to varying degrees. Many were implementing their strategies in phases, while watching and waiting for the first enforcement actions to be taken. Yet almost universally, individuals indicated a lack of confidence in how bulletproof their strategies will prove to be. One reason for their concern was the outsized role played by Data Protection Officers (DPOs) in interpreting their organization’s obligations under the GDPR and leading the compliance effort. Most PCI London participants seemed to believe that the non-prescriptive nature of the GDPR will lead to discrepancies between DPOs’ compliance advice and the enforcement priorities of their respective Data Protection Authority (DPA).
As DPAs begin to hold organizations accountable to GDPR principles, such as transparency, lawfulness of processing, and security by design and by default, the enforcement priorities should become clearer. At that point, we can expect to see compliance strategy adjustments and hurried implementations as organizations attempt to mitigate their risk of becoming the next enforcement target. This is likely to result in continued expenditures by organizations as they move to bolster or supplement existing technologies and systems as part of their compliance efforts.
Pseudonymization Has Yet to be Embraced as a Solution
Perhaps due to the widespread uncertainty accompanying GDPR compliance, very few organizations have attempted to pseudonymize the personal data they are obligated to protect. There was a general awareness of the compliance value provided by pseudonymization by attendees at PCI London, given that it is synonymous with tokenization, a commonly utilized technology for PCI compliance. Pseudonymization, along with tokenization, is one of the only two data security techniques called out within the GDPR. Unlike PCI, however, there is not yet an annual audit mechanism driving organizations to implement specific technologies for compliance with GDPR.
Again, as DPAs begin to take GDPR enforcement actions, expect to see DPOs begin to take a more active interest in compliance technologies to avoid the massive fines that are possible under the GDPR. In contrast to PCI DSS compliance, GDPR compliance is likely to be driven by Privacy Officers and DPOs, rather than the IT Security Team faced with an impending audit. If you’re currently tokenizing the PCI data within your organization, consider expanding the use of this technology to pseudonymize the personal data you’re responsible for safeguarding.
The Future of Payments and PCI
Alternative payment methods such as wearables and mobile devices continue to disrupt the payment landscape, along with regulations like the EU’s Payment Services Directive (PSD2) and technologies such as blockchain. Although the recent update to the PCI DSS was a fairly minor revision, it doesn’t reflect the rapid change taking place within the payment industry. Rather than automatically reaching for their bank card, consumers have an increasing array of options when making payments.
You can expect the PCI DSS to continue evolving in an effort to keep up with the evolving payment industry. You can also expect tokenization to continue to be central to efforts to protect PCI data given its flexibility and proven effectiveness. Regardless of how you accept and process payments, tokenization can protect sensitive data of all types from theft and fraud.
John Noltensmeyer, CIPP/E/US, CIPM, CISSP, ISA is the Privacy and Compliance Solutions Architect for TokenEx. TokenEx is the industry leader for tokenization, encryption, and data vaulting. Follow us on Twitter and LinkedIn.