The payment card industry has changed since its inception. What are the regulatory agencies doing to keep card users data safe? And, which of those changes will cause your company’s systems to need to be updated?

The start of the modern-day payment cards can be linked as far back as the 1920s when department stores and oil companies offered customers metal charge plates and “courtesy cards”, according to “Paying with Plastic” by David S. Evans and Richard Schmalensee. By the late 1950s, the idea had evolved to resemble what we think of today as payment cards with companies like Bank of America and American Express offering card options. After the Great Recession of 2007-2008 Americans shifted to using debit cards over credit cards. In 2017, Americans debit card use grew from $2.1 trillion to $2.56 trillion in an article from creditcards.com. According to another article from creditcards.com, seven out of ten Americans have at least one credit card. With all the growth within the payment card industry, one has to question what is being done to protect the data of the consumer? From the standpoint of a corporation, how up-to-date are your company and its systems with these ever-evolving regulation changes?

Regulation Agencies Brief History

The Payment Card Industry Security Standards Council (PCI SSC) was created in 2006 to enforce a Payment Card Industry Data Security Standard (PCI DSS) for credit card merchants and service providers worldwide. The standard ensures secure protocols regarding credit card storage, processing, and transmissions to aid in reducing fraud. The council conducts compliance audits annually.

A version of PCI DSS was created prior to the establishment of the PCI SSC. In September 2006, version 1.1 addressed minor revisions in the standard version. Since then, seven more versions have been released.

  • 2 in October 2008
  • 2.1 in August 2009
  • 0 in October 2010
  • 0 in November 2013, but was only in effect from January 1, 2014, to June 31, 2015
  • 1 in April 2015, but became ineffective after October 31, 2016
  • 2 in April 2016, but will become ineffective after December 31, 2018
  • 2.1 in May 2018

One of the most impactful changes went into effect on July 1, 2018. Credit card merchants and service providers can no longer support Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0. protocols. Those communications channels and their earlier versions have ceased to be secure. Your company will be at risk due to numerous susceptibilities if you do not update your systems. According to the National Institute of Standards and Technology (NIST), a fix or patch will not eradicate the vulnerabilities in SSL or early TLS. They strongly suggest organizations upgrade their online systems immediately or run the risk of regulatory violations and data susceptibility.

How the payment card industry will change with the advancement of technology is undetermined. However, change is inevitable especially if technology has anything to do with it. More and more consumers are purchasing through mobile options or online in which they do not even need to bring out their cards. What is yet to be seen is how the regulatory agencies are going to be addressing these changes and at what speed.

The Role of Redbridge

At Redbridge, we have a team of experts who diligently keep abreast of industry trends and regulatory changes worldwide. With teams based in Europe and North America, we have experts that can help you navigate the dynamic landscape of the payment card industry. By consistently keeping our finger on the pulse of the ever-changing world of card payments, we can help you locally, regionally, and internationally. Our transparency and global expertise are our strengths. Contact us to find out more.

Receive our publications