PCI DSS: UK companies can help shape the standard, says EU director

Jeremy King, recently appointed European director for PCI DSS, said UK and European companies can have greater influence on the future of the credit card security standard, and offered an early assessment of PCI DSS 2.0.

LONDON -- The new European director of the Payment Card Industry Security Standards Council (PCI SSC) has urged more European companies to get involved in shaping the future of the PCI Data Security Standard (PCI DSS UK).

Good security requires a change of mindset, because systems and configurations are changing all the time and you need to continually work at it.


Jeremy King
European directorPayment Card Industry Security Standards Council (PCI SSC)

In one of his first public speeches since being appointed to the role, Jeremy King told members of the PCI DSS UK Users Group that European companies have a big role to play in formulating the standard and ensuring it suits their needs.

At present, there are only five European companies on the 21-strong global Board of Advisors at the SSC; they include RBS Plc., Barclays Bank Plc. and Tesco Plc. "The members have a big influence on the standard; they review all the documents and provide a lot of input," King said.

He said he hoped the balance of influence would change over time with European companies assuming a bigger role. In the meantime, he urged more companies to become Participating Organisations -- a designation that, for $2,500, grants greater input into standards development and early access to drafts of new standards -- and to be more active in special interest groups.

"Europe is as big a region as the US. It has around three million merchants, and about 70 billion credit card transactions a year, but only 85 Participating Organisations and 90 QSAs (Qualified Security Assessors)," he said.

King also warned companies not to treat PCI DSS compliance as a mere box-ticking exercise, because this would not make them secure. "Security is a 10-foot wall and PCI DSS is just the first three feet. It's a good foundation, but it's not everything," he said.

"Good security requires a change of mindset, because systems and configurations are changing all the time and you need to continually work at it."

He also encouraged companies to attend the PCI SSC's European Community Meeting in Barcelona, Oct. 18 to 20 , where they would be able to learn more about version 2.0 of PCI DSS, as well as new versions of the associated payment applications standard (PA DSS), and PIN Transaction Security standard.

Attendees in Barcelona will also be able to attend the first European courses for the Internal Security Assessor Program, which gives those working for user organisations a chance to learn more about the standards' requirements and thereby better equip them to deal with their QSAs. King also promised that more such courses will be provided in the UK "early next year."

He promised that version 2.0 of PCI DSS, due to be announced in the coming weeks, will not bring any great surprises for companies. "There won't be any shocks in the new standard," King said. "There will be clarifications on some points, and we will be raising the bar somewhat." A summary of the expected changes is already available on the PCI SSC website.

King also promised that the SSC will soon publish new guidance papers on tokenisation and end-to-end encryption, and advised companies to delay any decisions about tokenisation until they have seen the papers. "The devil is in the details when it comes to these two subjects, and it has been a challenge to get the acquiring banks to adopt similar approaches among themselves on the issue," he said.

The problem, he said, underlies the fact that PCI DSS is open to a lot of interpretation and needs to be applied intelligently to individual cases, especially where compensating controls are adopted to meet some of the security criteria.

It also explains why companies can sometimes receive conflicting advice from QSAs who may interpret the rules differently. King said if companies feel they are receiving incorrect guidance or bad advice from their QSAs and can't work out the disagreement on their own, they should report them to the PCI SCC, where conflicts can be mediated.

Read more on Privacy and data protection