Most UK merchants have managed to keep their acquirers at bay by showing they have a compliance programme in place, even though their target dates for full compliance might be several years off. Some small companies have become compliant by outsourcing their card processing altogether, and some online retailers have achieved compliance in the same way. But among the large Level-1 merchants that handle high volumes of card transactions in shops as well as online or over the phone, few are even close to being compliant.
It is not that the retailers want to be insecure. But when it comes to PCI DSS, many complain that the advice they receive from their Qualified Security Assessors tends to be patchy and inconsistent. And some QSAs complain of a lack of clarity in the standards as they apply to European business.
But that is all due to change if Jeremy King has his way. Newly appointed as the first European director for the PCI Security Standards Council (.pdf), King has taken on the task of spreading the word -- and possibly cracking the whip -- to encourage European companies to adopt the PCI DSS with more enthusiasm.
Having spent the last 10 years at MasterCard Inc., much of the time working on PCI projects, King knows he must raise awareness of the standard and encourage greater participation in the formulation of the standard as it develops.
"If European merchants get involved, they can get access to the standards… and also have input into the standards as they are being developed. And they can get access to all the training that is available as well," he said.
King said a good place for organisations to start learning about PCI DSS would be the European Community meeting, to be held in October in Barcelona. "It is open to participating organisations, and it's a great opportunity to improve participation, and hopefully improve compliance in Europe," King said.
Companies that participate can influence standard formation through open-microphone sessions with the advisory board of the SSC, he said, and they can also take advantage of education and training programmes that take place at the conference.
At the moment, though, Europe's influence is small. At a recent advisory board meeting in Chicago, King said, there were just four European representatives out of 21. His goal is to increase the European contingent. "The PCI has recognised they were a little slow in Europe, and they needed someone to give the standard a bit of focus. Merchants didn't know where to go to get the information they needed."
He concedes that Europe is more complex because every country has its own rules, regulations and requirements. "This creates challenges that are different in each country. I'll be going round the different banking associations and acquirers so we can tackle some of the issues and resolve some of the problems that are preventing people from achieving PCI compliance," King said.
He comes on board at a busy time for PCI standards. UK merchants classified as Level 1 -- processing more than 6 million transactions annually -- that accept Visa and MasterCard must comply with PCI DSS by the end of September. The new PTS standard for terminals has just been rolled out, and the PCI Security Standards Council (PCI SSC) has introduced a new lifecycle for future versions of its standards. "That is a positive move for the merchants because it's moved from a two-year programme to a three-year programme, and that gives the merchants much more time to learn about the new standards, and to see how the new standards are going to affect them," King said. "It should help merchants to achieve compliance."
The 2010 PCI DSS update, which is likely to be called 2.0 (although some say it will be 1.3, indicating a more minor change) will also be launched this fall.
In the meantime, King has set himself a busy schedule to meet the acquirers and hammer home some of the requirements. "I have the support of the card brands, and hopefully I will get the support of the acquirers. And companies like Tesco Plc. are very much committed to being compliant with PCI," he said. "I shall be working with the card brands and the acquirers to filter down the relevant and correct information so they understand the timescales they need to work to."
Less than a week into the job, he has already had a meeting with the Royal Bank of Scotland Group Plc., will soon meet with Barclays Bank Plc., and is working with the UK Cards Association so he can attend their next acquirers meeting.
"It can be hard to get accurate information distributed. We will work in a partnership with the acquirers so they correctly understand the PCI standards and how those standards apply to them," King said. "We need to then ensure the information is disseminated accurately down to the merchants so they can understand what the dates are for compliance. We need to get across to people the important requirements of PCI DSS and how they need to be implemented."
He knows the job will not be easy, given the variety of business practices across Europe. "Yes, it is a hard job, but I knew that when I walked into it," King said. "Europe's got about 4,500 banks, several million merchants and there's an awful lot of cardholder data that needs to be protected." He adds that he is already looking beyond the 32 countries in the Single Euro Payment Area and considering what needs to be done in countries like Russia and Turkey, where credit cards are increasingly used.
For the moment, he is on a campaign to get merchants to take a more active role in standard formation. "There is an opportunity for the merchants to become participating organisations, and they will get a chance to input their ideas. And if they get elected on to the board, there is even more opportunity to input. It's a great opening for them."