SPP Coalition Challenges Payment Card Giants on Cybersecurity
Retailers and providers of payment networks this week announced they are coming together to form a Secure Payments Partnership (SPP), a coalition dedicated to smoothing implementation of cybersecurity technologies.
Founding members of SPP include the Food Marketing Institute, National Retail Federation, National Association of Convenience Stores, National Grocers Association, First Data’s STAR Network and SHAZAM.
The primary reason the SPP is being formed is to address how payment card security standards such as Payment Card Industry Data Security Standards (PCI DSS) and chip-enabled payment cards are implemented—a process that, for the last two years, is widely recognized as being deeply flawed around the world.
Douglas Kantor, a partner at Steptoe & Johnson LLP in Washington, D.C., who is serving as spokesperson for SPP, said the core issue is that Visa and MasterCard are defining payment security standards without any input from merchant, consumers, financial institutions or rival card networks. Rather, Visa and MasterCard have essentially pushed these stakeholders to advisory roles. SPP intends to formally and informally advocate with Visa and MasterCard on behalf of these stakeholders to make their concerns better understood and, if need be, lobby on behalf of those concerns with government leaders around the world.
Kantor noted that cards with embedded chips are just the tip of the iceberg when it comes to payment security. Visa and MasterCard are devising an approach to enable online transactions to occur with a single touch of a button, without getting relevant input from key stakeholders concerning how that technology might be implemented.
Beyond that, there is a raft of emerging mobile computing technologies that are of interest to members of the SPP, Kantor noted, adding credit card companies have a bias toward the plastic cards they issue over emerging technologies that may transform the entire payments process altogether. The SPP wants to make sure those technologies are not stymied before they ever get a chance to mature, he said.
Kantor pointed out that the SPP is not trying to define any new standards, but there’s a clear need for providers of payment cards and the business entities that process those transactions to work together more closely. The SPP is hoping IT vendors also will lend their expertise to achieving that goal.
In effect, SPP represents the formation of the equivalent of a congress of sorts. Retailers are not yet ready to rebel formally, but they are putting Visa and MasterCard on notice that there needs to be significant changes in how cybersecurity technologies are implemented. The two companies currently dictate those changes in large part because the entities that need to implement cybersecurity historically have not been well-organized. The SPP creates an opportunity for future, more bilateral advances in payment cybersecurity to reduce growing friction between retailers and the payment card industry.
Of course, there may come a day soon when payment cards themselves are obsolete. But there is always going to need to be some form of standardized approach for securely processing a transaction across one type of payment card network or another.