In a
recent article featured on SearchSecurity.com, a chief security
officer of a payment processor expressed his concerns and opinions
on the PCI Security Standards Council and the oversight of the PCI
Data Security Standard (DSS), as they specifically related to his
company's interests.
While the very nature of our organisation is based on the
feedback and collaboration of the greater payment community, and we
welcome any and all comments, we did want to provide SearchSecurity
readers with an additional perspective to some of the concerns
raised.
Specifically, as the general manager of the PCI Security
Standards Council, I want to offer the council's position on the
following:
- The suggestion that PCI SSC
needs to lower requirements for PCI DSS to encourage merchant
compliance
- The opinion that financial institutions' are not supportive of
the PCI DSS
- The suggestion that smaller merchants need assistance to help
them better understand the PCI DSS
Compliance is a Journey
Achieving compliance for any industry standard requires time and
is not a one day event. While I cannot comment on specific
compliance levels as the PCI SSC has not replaced individual
payment brand programs, I can tell you that the payment brands have
witnessed a significant uptick in compliance over the last year and
this trend looks to continue as more and more merchants demonstrate
that they have mapped out their process with the PCI DSS.
This is extremely heartening to the council, as our core goal is
to drive adoption as well as reduce costs and lead times for the
implementation of the PCI DSS through our ownership, development
and maintenance of the standard.
We therefore strongly disagree with the recommendation to "set
the bar lower" for PCI DSS requirements. There is an implicit
expectation from consumers that merchants and financial
institutions handle their information in a secure fashion, and we
are actively working to meet this expectation through the PCI DSS.
Compliance is improving on a daily basis and making the PCI DSS
easier to achieve is counterintuitive to delivering a robust and
effective data security standard. Everyone involved in the payment
process has a duty to consumers to protect their data to the
highest standard. This is the baseline principle and will not be
achieved by a loosening of PCI DSS requirements.
Additionally we believe that the suggestion to develop a "PCI
Certified Directory" detailing the names of PCI compliant companies
could be used by hackers to target and attack specific companies.
The council does not support putting consumer's data at potential
risk in this way.
Financial Institutions: A key component of our participating
organisations membership
The
12 requirements of the PCI DSS are the most
prescriptive of all the common standards or regulations. We have
done this intentionally, as we want to be in the best position
to address emerging threats and exploits that evolve over time.
To that end, one of the most significant actions the council has
taken since its formation is a commitment to provide a
transparent forum, through a participating organisation
membership base, in which all stakeholders can provide input
into the ongoing development, enhancement and dissemination of
data security standards.
I'd like to highlight that financial institutions have been one
of the greatest champions of the PCI DSS. It is important to
remember that, as recent events have illustrated, financial
institutions are directly and financially impacted by data security
breaches. As such they wholeheartedly recognise the value of the
work that we are doing. A simple perusal of our participating
organisation roster affirms the engagement of this important
industry sector.
Additionally, our invitation to participate in the feedback
process has generated an overwhelming volume of support and buy-in
from organisations throughout the payment chain – including
merchants, processors, POS providers, and financial institutions.
Each stakeholder has an opportunity to influence the direction of
PCI standards through active involvement in community meetings,
advance review of drafts of standards and supporting materials, and
regular dialogue with key stakeholders.
The next step in this important feedback loop will be the
announcement of a board of advisors elected from and by our
participating organisation members, as well as the first global
community meeting to formally begin shaping the next iteration of
the DSS.
Next Steps: Reaching more merchants
We will continue to focus on expanding our education and
awareness efforts. In the initial cycle since the council's
formation, we focused on mitigating the greatest potential volume
of risk by driving awareness among large merchants. In the coming
months we hope to have the same success replicated in our outreach
efforts to smaller merchants and acquirers. For instance we have a
detailed plan in place to simplify the self assessment
questionnaire for smaller merchants.
In the interim, we will also continue to assess additional
security standards, such as the PIN Entry Devices standard, for
appropriation under the council's administration.
Within the last six months, we have succeeded in raising
awareness of the DSS and driving adoption of the standard. In the
next six months, with the assistance of our 200 participating
organisations, we will continue to evolve the PCI DSS to accurately
reflect real world challenges.
We welcome the continued feedback and open dialogue of our
payment card industry constituents and look forward to your ongoing
engagement and participation in the months ahead.
Bob Russo is the general manager of the PCI Security
Standards Council. The council was formed by the major payment card
brands American Express, Discover Financial Services, JCB,
MasterCard Worldwide and Visa International to enhance payment
account security by fostering broad adoption of the PCI Data
Security Standard. About 200 merchants, banks, processors and point
of sale vendors are currently registered as PCI SSC Participating
Organisations. If you would like more information the PCI Security
Standards Council or would like to become a Participating
Organisation please contact the PCI Security Standards Council at
info@pcisecuritystandards.org.