Today President Obama announced that the federal government will spearhead an effort to shift the nation’s payment card data system to EMV chip technology.  As the leading payment card standards setting body in the world, we at the PCI Security Standards Council welcome this announcement and are encouraged by the support in both the public and private sector for this initiative.  We are hopeful that the president’s actions today will kick off a long overdue national conversation about making payment card security a top priority, as this topic has far-reaching impact on our nation’s economy and the global economy. 

Many consumers already have EMV chip technology on their credit cards.  It’s that small little embedded microprocessor plate on the front of the card.  The EMV chip technology provides consumers with strong security features. It helps businesses lock down their point of sale. It provides protection against fraudulent transactions in face to face shopping environments.


But while EMV chip technology is an additional layer in data security protection, we at PCI are concerned that some might view it as the complete fix to payment card security – a new technology that fixes all data protection problems.  It is not. EMV chip technology will not prevent fraud in the card not present environment- which includes online, mail and telephone order purchases.  Media reports in the past year indicate that some of America’s biggest data breaches involved targeted malware.  EMV chip technology would not have prevented those breaches either. 

Since no one single technology is the answer, as we head into the holiday shopping season, it is important for American businesses to prioritize strong security principles by maintaining a multi-layer security approach that involves people, process and technology working together to protect consumers.  We cannot fall into the trap of thinking there’s a silver bullet.  Vigilance around data security must be an everyday priority.  This will require an overdue change in the corporate mindset. 

Criminals have sought to steal from merchants for centuries, and will continue to do so for centuries to come. With new approaches to data security, organized crime will switch targets and attack vectors. That’s why organizations can’t afford to be complacent. They must remain vigilant and establish, build and maintain security basics such as those covered by PCI Standards into everyday business practice. 

There are constant daily threats to payment card security and those threats are getting more and more sophisticated, which is why it is even more important for American businesses to make this issue a top priority.  This can no longer be just “the IT departments’ problem”.  It must be a priority in all parts of an organization. To make that happen it takes executive leadership. It must come from the top. Which is why it is encouraging to see the White House look seriously at this issue.

The PCI Security Standards Council is a global coalition that works across industries to develop strong business and technical standards, best practices and timely, actionable guidance to secure payment card data for anyone who stores, processes, or transmits payment card data.  PCI Standards are designed to be the floor, not the ceiling. We support a multi-layered approach to securing payment data and believe if a business does not need card payment data, then the business shouldn’t store it after a transaction is completed.  The combination of EMV with PCI Standards will be powerful for today’s global multichannel retailers.

The industry – including retailers and banks – is working hard to ensure the best security possible is deployed across the payment chain. The government can play a role through initiatives like today’s White House announcement and by raising awareness, streamlining data breach notification laws, improving public-private collaboration, encouraging information sharing and supporting strong law enforcement.

The payment card industry is out ahead of this looking for ways to keep improving our PCI standards in order to protect consumer’s payment card data. PCI Standards are a strong defense against data breaches.  No business wants to see its customers inconvenienced, its reputation damaged or its bottom line hurt. Involvement in the PCI Council has grown steadily since our inception, demonstrating the wider global business community’s commitment to this issue.

A collaborative and vigilant effort is the only way forward. Global alliances and partnerships between the private and public sector is the path to creating cyber security in the 21st century.

Orfei is general manager of the PCI Security Standards Council.