Flywire will advise on PCI security standards as part of a small group of global organizations, weighing in on the future of the gold standard for credit card processing security.
Flywire joins industry titans like Bank of America, Apple, JP Morgan Chase, HDFC Bank and dozens more as an elected member of the Board of Advisors for the PCI Security Standards Council (PCI SSC) for a two-year term, starting June 1.
This appointment gives Flywire a stronger voice, insight and influence on one of the most important standards governing secure payment processing, at a time when both electronic payment processing and the data breach risks associated with it are exploding. Flywire is among 52 of the “world’s leading companies from all sectors in the payments space,” who now have the opportunity to vote on new standards and major standard revisions before they’re released.
“In the changing payment environment, more so than ever, we depend on the guidance and input provided by our advisors to understand and address the new challenges and new technologies facing payment security,” PCI SSC Executive Director Lance J. Johnson said in a press release.
The importance of the standard extends beyond securing credit card payments – as other organizations and standards look to PCI for guidance. For instance, NACHA now requires large senders of ACH payments to protect account numbers by rendering them unreadable when stored electronically – in compliance with PCI.
Flywire is a veteran of the PCI Security Standards Council – having at its helm one of PCI’s original architects in David King. Almost 20 years ago, King, who is Flywire’s CTO, was among those who helped bring together several different standards governing card payment security into what is now the sole standard for the card networks - helping to draft version 1. He pioneered payment security in one of the most complex spaces – healthcare – as the creator of the first PCI-validated P2PE (Point-to-Point Encryption) device for healthcare, ensuring extremely secure payments by encrypting data at several points along its transmission. Flywire has also been a long-time member of the PCI Security Standards Council, as one of 200 organizations that contributed to changes in PCI v 4.0 – the latest security standard – for instance.
King shared some thoughts on card security, and why expanding Flywire’s role in ensuring and advancing PCI compliance is so important.
Flywire already had a role in the PCI Security Standards Council – why is it important to expand that and contribute more?
The threshold to meet PCI compliance has and will continue to increase – with good reason – and we need to be at the center of all of that. We are a member of the PCI Security Standards Council, helping to review and provide feedback on changes, for instance, to PCI v4.0. As a member of the Board of Advisors, we now have the opportunity to contribute our knowledge, feedback and vote on changes.
We handle payments for some of the most complex and highly regulated industries on the planet. Flywire has both an opportunity and an obligation to continue to contribute to those payments being processed as securely and efficiently as possible – and to help our clients offload some of the responsibility and risk.
Why is it so important to keep improving credit card payment security?
People and businesses increasingly want to make purchases – high value purchases – by credit card. In the Federal Reserve Payments Study, both the number and value of payments made by card grew fast – in fact, for the latter, faster in the last three years than any other year on record. At the same time, the threat environment is more complex and the risks and costs of a data breach are higher. Compliance failures are among the top three factors contributing to increasing the total cost of a data breach. Having a high level of compliance failures is associated with increasing the cost of a breach by a factor of 50%, according to IBM’s Cost of a Data Breach survey. Fines for noncompliance get passed onto businesses and organizations, and ultimately, trickle down to consumers.
PCI v4.0 is coming – what’s one thing organizations can do right now to prepare?
PCI is pass or fail. It’s very important to understand that if your vendor is not PCI v4.0 compliant, then you also fail PCI. Outside of your own technical work to achieve, are you managing your vendors and making sure they are PCI v4.0 compliant? Flywire immediately started implementing the new controls as soon as they were released. In fact, we had many of these in place already and are prepared to support you.
When is the compliance deadline?
PCI v4.0 was released on March 31, 2022. We are in the transition period from v3.2.1 to v4.0. On March 31, 2024 v3.2.1 will be retired and you must be compliant with v4.0.
What are some of the biggest changes in PCI v 4.0?
Security awareness. PCI v4.0 has a focus on security awareness training for hiring and training employees, contractors, and third-party vendors.
Enhanced validation methods. Making sure security controls are up-to-date and effective is critical. PCI v4.0 introduced new validation methods of segmentation controls and requirements for reviewing segmentation.
Expanded scope. PCI v4.0 includes new requirements for securing emerging technologies such as cloud computing, virtualization, and mobile payments. It also includes requirements for securing the supply chain and third-party service providers.
Testing and risk assessment. PCI v4.0 offers a bit more flexibility in testing procedures, but requires institutions to implement a formal process for detecting and responding to security incidents. It has shifted to a more risk-based approach and compensating controls.