Sunday, July 24, 2011

A business case for the elimination of PCI

The PCI (Payment Card Industry Data Security Standard) program is one of the most important initiatives ever undertaken by banks and the card associations. Fundamentally PCI is about masking card numbers so that it cannot be used for purposes that it is not intended for. Because credit card numbers (if known to criminals) can be used to perform fraudulent transactions, it is important that these numbers not be available in the open.

While it is critical to implement PCI, the cost implications are high. Consider for a moment the number of systems and business processes that work with credit card data. All of these systems must be changed, maintained and supported without ever displaying, storing, logging or exchanging the actual credit card data. It is almost the same as making telephone calls without ever using a telephone number. The complexity and cost of conforming to PCI is huge.

If it was possible to create a payment system where fraudulent payments were not possible, even if card numbers were used in the open, the payment industry would save a lot of money. If we could have a payment systems even if you had my number you could only send me money, then it would be okay if you had my number. PCI would then not be required. This is possible through mobile payments.

This is a thought: maybe the business case for the implementation of mobile payments could be built on the elimination of PCI.

No comments: