The PCI Security Standards Council is devising recommendations for protecting payment transactions on devices connected to the Internet of Things, a network with endpoints researchers say already number in the billions.


The Wakefield, Mass.-based PCI Council, which oversees a number of security standards for the protection of credit and debit card data, is developing what chief technology officer Troy Leach calls a “framework” for ensuring payment security when IoT devices are involved. The framework will pay especially close attention to software controlling payments on the devices.


“We are developing a new software security framework that is going to be applicable to all types of payment software, potentially including the Internet of Things,” Leach tells Digital Transactions News.


The framework will have three major components that address secure software coding principles for IoT devices, software updates, and testing of payments-facilitating applications, according to Leach.


Specific payment-security rules for the IoT aren’t in the immediate offing, nor is there any timeline for completing the framework. Anything that emerges from the framework likely would first appear as best-practices recommendations, according to Leach.


“There are a lot of moving parts,” says Leach. “My hope is we will have this out next year.”


Leach adds that the Council “will have heavy industry involvement” in developing the framework. The Council also is working with non-payments software companies such as Microsoft Corp. and Intel Corp. to get ideas and recommendations.


The IoT has exploded into the public consciousness this year, and especially since last month when a huge digital denial of service (DDoS) attack that surreptitiously marshaled IoT devices temporarily crippled a number of major Web sites. Research firm IDC Financial Insights recently estimated the IoT connected more than 12 billion devices last year and that it could have more than 30 billion by 2020.


The IoT includes everything from cameras to cars to wearable devices and clothing to household items such as thermostats and garage door openers. MasterCard Inc. demonstrated the IoT’s payments potential early this year when it showcased a Samsung Web-Connected Refrigerator that included a touch-screen and app enabling the owner to order and pay for groceries.


The problem with the IoT from a payment card security perspective is that, in adding payment functionality to some Web-connected devices, a whole new corps of software developers without any payment experience is dealing with data-protection issues for the first time, says Leach. That was the case in the payments industry itself a decade ago, when the major card networks created the PCI Council. But the importance of data security was easier to grasp back then when everybody involved—from banks to card networks to processors, merchants, and vendors—was familiar with the ins and outs of electronic payments.


But with the IoT, “payments is an element, but not central to the product design,” says Leach. “That’s what’s different from 10 years ago.”