In a recent article featured on SearchSecurity.com, a chief security officer of a payment processor expressed his concerns and opinions on the PCI Security Standards Council and the oversight of the PCI Data Security Standard (DSS), as they specifically related to his company's interests.
While the very nature of our organisation is based on the feedback and collaboration of the greater payment community, and we welcome any and all comments, we did want to provide SearchSecurity readers with an additional perspective to some of the concerns raised.
Specifically, as the general manager of the PCI Security Standards Council, I want to offer the council's position on the following:
Compliance is a Journey
Achieving compliance for any industry standard requires time and is not a one day event. While I cannot comment on specific compliance levels as the PCI SSC has not replaced individual payment brand programs, I can tell you that the payment brands have witnessed a significant uptick in compliance over the last year and this trend looks to continue as more and more merchants demonstrate that they have mapped out their process with the PCI DSS.
This is extremely heartening to the council, as our core goal is to drive adoption as well as reduce costs and lead times for the implementation of the PCI DSS through our ownership, development and maintenance of the standard.
We therefore strongly disagree with the recommendation to "set the bar lower" for PCI DSS requirements. There is an implicit expectation from consumers that merchants and financial institutions handle their information in a secure fashion, and we are actively working to meet this expectation through the PCI DSS. Compliance is improving on a daily basis and making the PCI DSS easier to achieve is counterintuitive to delivering a robust and effective data security standard. Everyone involved in the payment process has a duty to consumers to protect their data to the highest standard. This is the baseline principle and will not be achieved by a loosening of PCI DSS requirements.
Additionally we believe that the suggestion to develop a "PCI Certified Directory" detailing the names of PCI compliant companies could be used by hackers to target and attack specific companies. The council does not support putting consumer's data at potential risk in this way.
Financial Institutions: A key component of our participating organisations membership
The 12 requirements of the PCI DSS are the most prescriptive of all the common standards or regulations. We have done this intentionally, as we want to be in the best position to address emerging threats and exploits that evolve over time. To that end, one of the most significant actions the council has taken since its formation is a commitment to provide a transparent forum, through a participating organisation membership base, in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of data security standards.
I'd like to highlight that financial institutions have been one of the greatest champions of the PCI DSS. It is important to remember that, as recent events have illustrated, financial institutions are directly and financially impacted by data security breaches. As such they wholeheartedly recognise the value of the work that we are doing. A simple perusal of our participating organisation roster affirms the engagement of this important industry sector.
Additionally, our invitation to participate in the feedback process has generated an overwhelming volume of support and buy-in from organisations throughout the payment chain – including merchants, processors, POS providers, and financial institutions. Each stakeholder has an opportunity to influence the direction of PCI standards through active involvement in community meetings, advance review of drafts of standards and supporting materials, and regular dialogue with key stakeholders.
The next step in this important feedback loop will be the announcement of a board of advisors elected from and by our participating organisation members, as well as the first global community meeting to formally begin shaping the next iteration of the DSS.
Next Steps: Reaching more merchants
We will continue to focus on expanding our education and awareness efforts. In the initial cycle since the council's formation, we focused on mitigating the greatest potential volume of risk by driving awareness among large merchants. In the coming months we hope to have the same success replicated in our outreach efforts to smaller merchants and acquirers. For instance we have a detailed plan in place to simplify the self assessment questionnaire for smaller merchants.
In the interim, we will also continue to assess additional security standards, such as the PIN Entry Devices standard, for appropriation under the council's administration.
Within the last six months, we have succeeded in raising awareness of the DSS and driving adoption of the standard. In the next six months, with the assistance of our 200 participating organisations, we will continue to evolve the PCI DSS to accurately reflect real world challenges.
We welcome the continued feedback and open dialogue of our payment card industry constituents and look forward to your ongoing engagement and participation in the months ahead.
Bob Russo is the general manager of the PCI Security Standards Council. The council was formed by the major payment card brands American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International to enhance payment account security by fostering broad adoption of the PCI Data Security Standard. About 200 merchants, banks, processors and point of sale vendors are currently registered as PCI SSC Participating Organisations. If you would like more information the PCI Security Standards Council or would like to become a Participating Organisation please contact the PCI Security Standards Council at firstname.lastname@example.org.
This was first published in May 2007