PCI SSC: Europeans sought to shape credit card security policy

Nominations recently opened for organisations to join the PCI SSC's advisory board, and PCI European Director Jeremy King is keen to see more UK companies elected.

Interested in influencing PCI security standards and ensuring they help your business, rather than just being a regulatory burden?

Here is your chance: The Board of Advisors to the Payment Card Industry Security Standards Council (PCI SSC) is seeking nominations for new members (.pdf), and the aim is to ensure more representation from European companies.

The PCI SSC is responsible for three security standards related to payment cards: the PCI Data Security Standard (PCI DSS), the PIN Transaction Security (PTS) requirements, and the Payment Applications Data Security Standard (PA- DSS). The standards are backed by five major payment card schemes, including Visa and MasterCard, and are designed to reduce card crime and help organisations protect their customers' payment card data.

"I want to get more Europeans on the board," said Jeremy King, who became the PCI's first European director last summer. "I'm banging my drum to get the nominations and for everybody to support the European nominations."

The advisory board of the PCI consists of 21 members, 14 of whom are up for election for each two-year period. The other seven places are allocated by the executive committee of the PCI to ensure a good balance of interested parties.

In order to be eligible for nomination, companies need to become a Participating Organisation in the PCI process, which costs $3,000 per year and entitles the member to attend community meetings and to have early sight of any proposed changes.

Europe currently has five representatives on the board of advisors: Royal Bank of Scotland, Tesco Stores Ltd., Lufthansa Systems, Barclaycard and the European Payments Council. "If I can get a couple more Europeans elected, I'll be very pleased," King said.

Being elected to the board of advisors provides organisations with an opportunity to play a role in the development of future credit card security policy guidelines and to provide input from their own region and industry.

Some companies, especially those in Europe, have complained in the past that PCI DSS is too US-centric and fails to reflect different practices in Europe, where, for example, Chip and PIN technology is in much wider use.

King's appointment as European director was seen as a first step toward getting wider input from -- and spreading the word across -- Europe, especially in those countries where PCI DSS has, so far, had little impact.

"The more input and representation we can get from Europe, the better it will be. Our aim is to get a global standard," King said. "In the last board of advisors, we also had representatives from Australia and Latin America, but there are still too many Americans represented. I'd like to rebalance it. We need to have different views and different approaches, especially this year when we have just launched our new versions of the standards."

King said he expects most nominations to come from UK organisations, with some also from Scandinavia, where PCI DSS has started to take off. But getting involvement from other parts of Europe could take longer, according to Nigel Dickens, CISO at Cardif Pinnacle, an insurance company owned by the French BNP Paribas Group. "PCI has had a low take-up in a lot of Europe," he said. "Many people in France see it as something from America, and therefore [something that has] nothing to do with them. But if this is to be an international standard, it is essential that we have international people to evangelise it."

Neira Jones, head of payment security at Barclaycard, was more upbeat. Her organisation has been on the PCI board of advisers for the last two years and is hoping to be elected once again. "We have achieved a great deal in the last two years, in driving forward the agenda on call recording and the problems of smaller merchants," Jones said. "We have also been active in the scoping special interest group, working on encryption and tokenisation, and we also produced the EMV [chip card] white paper."

As well as campaigning for re-election, she said she was "personally encouraging" more European companies to put themselves forward for nomination.

The nominations process opened on Jan. 27, 2011, and closes on Feb. 25. It will be followed by a voting period from mid-March to early April, in which participating organisations can vote for their representatives for the next two-year term. The new Board of Advisors will be announced in early May 2011, and their first face-to-face meeting will take place in June.

Read more on Regulatory compliance and standard requirements