If there’s one thing recent news about the National Security Agency’s data collection programs has made clear, it’s that our personal information, especially online, can be susceptible to being seen by others. Americans are now paying closer attention to protecting their personal information, and the president and Congress are discussing more stringent online privacy laws that address consumer concerns.
In a world where commerce is rapidly moving online, consumer data is vital to effectuating transactions and deriving maximum value from mobile commerce. And although protecting privacy is an important goal, we must not allow government regulations to place undue burden on the payments industry and consumers who rely on electronic forms of payment every day.
The payments industry understands the importance of protecting networks and data, and we have a long history of developing innovative solutions to ensure privacy and security in transactions. In fact, the standards set by the payments industry to ensure customer privacy are a model of security, and a real-world example of the ability of the private sector to regulate itself. While we must protect our nation’s online infrastructure, we also must protect the private sector from further government encroachment.
The Payment Card Industry Data Security Standard (PCI-DSS), created by the PCI Security Standards Council, is a model of the payments industry’s self-regulatory efforts. PCI SSC is the industry group tasked with developing, maintaining and enforcing standards to protect consumer data. It certifies auditors to evaluate merchants’ data security measures and can deny merchants the ability to accept credit cards if they fail to meet its data security standards. Members of the PCI SSC include banks, merchants and major payment card companies, such as MasterCard, Visa and American Express.
The PCI-DSS, established in 2006, serves as a model for other industries. This successful, industry-led, multi-stakeholder program provides a framework for payments companies to develop a payment-security process for prevention, detection and responding to security issues. It creates uniformity for data security and breach notification across a range of industries and organizations, addressing consumers’ right to know when their information is in danger while minimizing compliance and legal risks.
The Electronic Transactions Association’s Mobile Payments Committee stands as another example of private industry setting standards to govern consumer privacy. The MPC is an industry-wide task force of 100 representatives from top companies in the innovative market of mobile payments, including credit card networks, processors, mobile network operators, developers, financial institutions and device manufacturers. The committee is tasked with developing and implementing solutions to the complex policy and business issues surrounding the emergence of mobile payments in the U.S. and globally. In combination with the National Telecommunications and Information Administration and similar agency initiatives, efforts like the MPC hold great promise for promoting innovation and consumer benefits while protecting consumer privacy.
As we move forward in developing security standards, it is essential that those standards remain voluntary, and that they be created with stakeholder input. The Cyber Intelligence Sharing and Protection Act, passed by the House of Representatives in April, presents a perfect example.