Community

Join the Community

22,194
Expert opinions
44,260
Total members
384
New members (last 30 days)
210
New opinions (last 30 days)
28,728
Total comments
Join Sign in

Is PCI a white elephant?.. Or is Dave Birch wrong?..

  0 2 comments
Retired member
Unfollow

The most frequently cited and referenced part of PCI DSS relates to protection of cardholder data, mainly card number (PAN), cardholder's name and card expiration date.

Now, Dave Birch of Consult Hyperion (one of the leading consultancies in the payments industry) as well as Mark Austin, head of contactless at Visa Europe, are saying that the information "on the front of a bank card" is not... sensitive. At all! 

Hm, the information on the front of your bank card is exactly the data PCI is making so much fuss about: PAN, cardholder name and the expiration date...

Merchant and payment device developers go through a lot of expense and effort to protect PAN, in particular. Why bother, if that data is easily available to anyone with an NFC phone. 

Whilst we are on the subject, let's open another can of worms - do we really need PAN on the card? We had a lengthy discussion with MasterCard about that and they said... "Well, that depends." That was after we pointed to a Barclaycard NFC sticker which is, essentially, a... contactless bank card. It has neither name, nor PAN, nor the expiration date on it. And works just fine.

On a related note, as part of our market research programme, for the past few months I have been attempting to pay in shops with my... Priority Pass. Not a single shop assistant ever (!) questioned that card. Some noticed it doesn't have chip and suggested that I... use a mag stripe - "It's one of those American cards, init, mate?" Absence of Visa, MasterCard or Amex logo was never part of the conversations I had at the till.

To sum it up, my card card number is not a big deal. And I even don't need one. (The same goes for the card scheme logos, but that's a subject for another blog post).

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5247
 

Share

 
 
 
 
 

Channels

/payments
 

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Join group

1725 opinions 241 members

Comments: (4)

David Birch

David Birch Grand Poo-Bah at Tomorrow's Transactions

I didn't say that the information wasn't sensitive, I said that you could read it from the front of the card so the supposed NFC vulnerability is uninteresting. Yes, I am not a fan of PCI-DSS, but that still doesn't mean I want people to store huge quantities that data without security.

To reduce fraud we must make it either harder to steal the cardholder data (the PCI-DSS expensive route) or make it harder to use the cardholder data (the 2FA route). I favour the latter.

A Finextra member 

I agree with you, Dave, re 2FA. We need neither PAN, nor CVV in the clear on the card for retail transactions. For e-comm, we can either use tokenization (Tom Noyes has good posts on the subject, e.g. http://tomnoyes.wordpress.com/2013/02/20/payment-tokenization/) or, at the very least, dynamic CVV. Those simple measures alone would greatly improve security, without the expense, complexity and hassle of PCI DSS...

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@AlexanderP: Your image is of Multipass whereas your hyperlink goes to the website of one PriorityPass, which displays card #, cardholder name and expiration date! On another note, like I mentioned in Why Is This Data Breach Different?, I prefer more protection than just PCI-DSS instead of 2FA.  

A Finextra member 

MultiPass is an example of PAN-less card (with a modified scheme logo). Priority Pass example illustrates that the merchants don't really care about such things as scheme branding (or PAN) - same logic as a bank-issued contactless sticker.

More expert opinions

Alex Kreger

Alex Kreger Founder & CEO at UXDA

Banking Beyond 2025: Seven Digital Banking Trends to Elevate Your Financial Brand

16

Francesco Fulcoli

Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone

FCA Consumer Duty Publications Summary (December 2024)

1

Erica Andersen

Erica Andersen Marketing at smartR AI

A Lords Guide to Regulating AI: pro-innovation can be pro-regulation

Dmytro Spilka

Dmytro Spilka Director and Founder at Solvid, Coinprompter

Is Wall Street About to Become Deregulated? What Could Compliance Look Like in the Years Ahead?

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,194
Expert opinions
44,260
Total members
384
New members (last 30 days)
210
New opinions (last 30 days)
28,728
Total comments
Join Sign in

Trending

Darren Carvalho

Darren Carvalho Co-Founder and Co-CEO at MetaWealth

The Future of Wealth Management: Pension Funds and the Promise of Tokenized Assets

Boris Bialek

Boris Bialek Vice President and Field CTO, Industry Solutions at MongoDB

Enhancing Digital Banking Experiences with AI

Kathiravan Rajendran

Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global

Strategy that Banks should consider in 2025 to outpace fintechs and MTOs in Cross Border Payments

Barley Laing

Barley Laing UK Managing Director at Melissa

Reducing the impact of AI-driven fraud in 2025

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept