Balancing Innovation And Compliance: The PCI Challenge

By Ben Carsley, Managing Editor (@BC_PYMNTS)

Since its launch in 2006, the Payment Card Industry Security Standards Council – or PCI SSC, as it is more commonly known – has drawn on the collective knowledge of payments industry leaders to provide guidelines for making payments more secure.

The council’s five founding members – MasterCard, Discover, Visa, American Express and JCB International – all share equally in the council’s governance. Per the Councils’ bylaws, the Council’s chairperson position rotates annually between each of the five payments card brands that comprise the Council’s Executive Committee.

For the 2013 term, Rob Tourt, chief risk management officer at Discover, finds himself serving as chairperson for the second time. And between his two roles, Tourt believes he’s identified one of the biggest challenges the payments industry faces: making transactions more secure without impeding innovation.

PYMNTS.com spoke with Tourt to discuss how his roles compliment each other in an industry rife with change, and about the past, present and future of the PCI SSC.

According to Tourt, the main goal of the PCI SSC is to provide clarity and direction to merchants and acquirers about what they need to do to make their “transaction processing environments” secure. Tourt said that before PCI SSC, merchants knew they had to secure their environments, but weren’t sure how to do so. The PCI SSC gave them a single standard to follow, which in Tourt’s estimation eliminated much of the confusion. 

“I think it’s kind of an interesting study in industry self-regulation,” Tourt said of the PCI SSC. “If you go back to the beginnings of PCI, there were companies in the news pretty regularly and people were looking for direction … it’s very encouraging the way the industry came together, agreed upon a standard and has managed it in the way we have over the last several years.”

Although Tourt said he believes that the PCI SSC’s progress to this point is promising, he acknowledged that the Council still faces plenty of challenges.

In 2013, the Council will look to continue to provide guidance through the revision of two standards: the PCI DSS (data security standard) and the PADSS (payment application data security standard), which will be published in September.

Tourt said the revisions will have the PCI SSC’s same goals of bringing clarity and simplicity to the payments ecosystem in mind. However, he specifically cited the change in technology around mobile payments and services as an area where the PCI DSS needs to strike a balance between security and innovation.

“I think one of the biggest [challenges], I would say, would have to be about the change in the technology and the amount of new and exciting things we’re seeing that are enabling people to pay faster and easier,” he said.

“All of that innovation is happening and we want to make sure that’s it’s happening in a secure manner. But we also don’t want to gate innovation.”

To hear more Tourt on his roles on the PCI SSC council and at Discover, listen to the full podcast here.

   

*If you have trouble with the audio player above, click here.


Rob Tourt

Chief Risk Management Officer, Payment Services

As the head of the Payment Services’ risk organization, Rob is responsible for internal control, counterparty risk management, compliance and fraud prevention activities for the division.

Rob joined Discover Financial Services in 1985 as a fraud investigator. Since that time he has held positions in virtually all areas of the payments businesses. 

He has lead the implementations of numerous strategic projects, from the first third party issuers on the Discover Network to the network reciprocity agreements with China UnionPay and JCB.  In his previous assignment, he lead the integration of the Diners Club International network into DFS, which enabled Discover acceptance on DCI merchants outside the U.S.

Rob holds a Bachelor of Science in Business Administration from The Ohio State University and a Master of Business Administration from Northwestern University’s Kellogg School of Management.  He is currently the Chairman of the Payment Card Industry Security Standards Council, PCI SSC, and a member of the Merchant Risk Council’s Americas Advisory Board.