Securing Electronic Payments: Let Industry Take the Lead | Commentary
If there’s one thing recent news about the National Security Agency’s data collection programs has made clear, it’s that our personal information, especially online, can be susceptible to being seen by others. Americans are now paying closer attention to protecting their personal information, and the president and Congress are discussing more stringent online privacy laws that address consumer concerns.
In a world where commerce is rapidly moving online, consumer data is vital to effectuating transactions and deriving maximum value from mobile commerce. And although protecting privacy is an important goal, we must not allow government regulations to place undue burden on the payments industry and consumers who rely on electronic forms of payment every day.
The payments industry understands the importance of protecting networks and data, and we have a long history of developing innovative solutions to ensure privacy and security in transactions. In fact, the standards set by the payments industry to ensure customer privacy are a model of security, and a real-world example of the ability of the private sector to regulate itself. While we must protect our nation’s online infrastructure, we also must protect the private sector from further government encroachment.
The Payment Card Industry Data Security Standard (PCI-DSS), created by the PCI Security Standards Council, is a model of the payments industry’s self-regulatory efforts. PCI SSC is the industry group tasked with developing, maintaining and enforcing standards to protect consumer data. It certifies auditors to evaluate merchants’ data security measures and can deny merchants the ability to accept credit cards if they fail to meet its data security standards. Members of the PCI SSC include banks, merchants and major payment card companies, such as MasterCard, Visa and American Express.
The PCI-DSS, established in 2006, serves as a model for other industries. This successful, industry-led, multi-stakeholder program provides a framework for payments companies to develop a payment-security process for prevention, detection and responding to security issues. It creates uniformity for data security and breach notification across a range of industries and organizations, addressing consumers’ right to know when their information is in danger while minimizing compliance and legal risks.
The Electronic Transactions Association’s Mobile Payments Committee stands as another example of private industry setting standards to govern consumer privacy. The MPC is an industry-wide task force of 100 representatives from top companies in the innovative market of mobile payments, including credit card networks, processors, mobile network operators, developers, financial institutions and device manufacturers. The committee is tasked with developing and implementing solutions to the complex policy and business issues surrounding the emergence of mobile payments in the U.S. and globally. In combination with the National Telecommunications and Information Administration and similar agency initiatives, efforts like the MPC hold great promise for promoting innovation and consumer benefits while protecting consumer privacy.
As we move forward in developing security standards, it is essential that those standards remain voluntary, and that they be created with stakeholder input. The Cyber Intelligence Sharing and Protection Act, passed by the House of Representatives in April, presents a perfect example.
The legislation addresses cybersecurity by putting the government and the private sector on the same page, sharing information about cyber-threats without imposing stifling regulations. Many financial institutions are eager to adopt voluntary standards like those passed by the House, as doing so increases consumer confidence and promotes investment. The industry needs the right information to make informed decisions to protect its online infrastructure. Government regulations run the risk of stifling the very innovation that could keep systems secure.
Unfortunately, no regulations are going to ensure that privacy leaks never happen. While we do all we can to defend against breaches, human error remains a constant. As recent weeks have shown all too clearly, even the government doesn’t have immunity from leaks — and the results can be devastating.
Still, the payments industry has a history of rapidly evolving to address security threats. As policymakers consider security measures for electronic payments, they must allow the industry the autonomy it needs to set security standards without killing the innovation that ultimately keeps us secure.
Jason Oxman is the CEO of the Electronic Transactions Association, an international trade association representing more than 500 companies worldwide.