As the general manager of the Payment Card Industry Security Standards Council,Robert Russohas borne the brunt of criticism about the PCI data security standard.
Computerworld spoke with Russo last week as the council prepared to receive formal comments from industry stakeholders about the current version of the standard, which went into effect last autumn.
Russo stoutly defended the standard and said that despite questions about its effectiveness, there's no alternative when it comes to protecting payment card data.
What do you say to those who have said the PCI rules-making process is not as inclusive as it needs to be?
The way it works is after we release a new standard, it stays out there for a approximately eight months and then a new comment period begins. All of our participating organisations, as well as all of the assessment community and approved software vendors and such will have the opportunity to give us formal feedback.
We will ask them to tell us what their top five priorities are regarding the standard--what they would like to see addressed, what they'd like to see changed, what they'd like to see added or deleted.
We take all of this information and we will digest that and put that in some form that can be distributed once again to the participating communities, saying: 'This is the result of everything we have gotten.
And this is what we are proposing, based on what we heard should be in the newest version of the standard,' and then we will have another comment period. That information will be the basis for the new or evolved standard that will be released.
Representatives from seven trade groups sent you a letter earlier this month asking why the PCI standards development process can't be like the one used by the American National Standards Institute. What's your response?
We are a global standard, so there are some issues...with just dealing with a standard that comes from one country or the other. As a matter of fact, when they published that letter, there was an article in the UK saying, 'Hey this is a global standard. Why are you telling these guys to do something that is just US centric?'
We need to worry about stuff all over the world. That is specifically what we are doing at this point. Certainly, we look at all standards to see how we might be able to align our standards with those things. If there is a better way of doing it than the existing standards, we have no qualms about adopting it.
So what you are saying is that your standard is as inclusive as it can be under the circumstances?
That's right. What do you think of questions about the effectiveness of the standard from merchants and even by lawmakers? Certainly, we believe it has been very effective.
The standard, as far as we are concerned, is your best defense against a breach. What we have found over the years, and what we have been saying over and over again, is that some of these breaches that you are reading about happened because [the breached entity] turned out to be non-compliant at the time of the breach. I've testified before Congress about some of these things.
Basically, what they are saying is, 'If these guys were compliant, why were they breached?' Well the simple fact of the matter is they were compliant at a point in time and when the breach occurred, they were not.
But are the standards adequate for protecting payment card data effectively?
At this point, we haven't seen anything in the standard that causes us concern. If I were one of these merchants or a processor or somebody that has been breached, and there was something wrong with the standard, I'd be the first guy to stand up in front a microphone and say, 'Hey the problem with the standard is requirement xyz.'
But nobody's doing that. If there is something that is egregiously wrong with the standard, then we would be stressing it at this point. But, again, the simple fact of the matter is that somewhere, somehow [a company that gets breached] was not compliant at the time of the breach.
Why are PCI compliance assessors also allowed to sell security technologies to the companies they do assessments with?
Some have said that it creates a conflict-of-interest situation. There are a number of things in our contracts with QSA (qualified security assessors). There are independence clauses in there, for example.
A company can sell a solution to a security issue, but when they propose it to a company that they are doing an assessment with, they basically have to say, 'You need this kind of technology to be compliant and we sell one, as well as 15 other people.' They can't come in and say: 'You need to buy our product, otherwise you are not compliant."
When a QSA goes in, they give a feedback form to whomever it is that they are doing the assessment for. If the (company being assessed) has any issues with what the QSA is doing or feel like they are being forced into something that they don't want, we encourage them to give us that feedback.
Why is PricewaterhouseCoopers reviewing end-to-end encryption, tokenisation and chip and PIN technologies for the PCI Security Standards Council?
What they are be doing is looking at these technologies and a couple of others as well and seeing what needs to be in these technologies for them to be considered for the standard. They are going to say [that] if you are using end-to-end encryption technology it must do these five or eight or 10 or 20 things.
And you must do them this way in order to be considered compliant with the standard. We realise that technology is moving very quickly and certainly we want to make sure that we are giving everyone the opportunity to use these methods to protect (payment card) data if, in fact, they are good methods.
Have you been surprised by the criticism leveled against PCI of late? Or is it only to be expected with an effort this big?
You hit the nail on the head. First of all, this is a very big effort. Second, regardless of who is responsible for the standard, in an economic environment like the one we are in now, when people can't afford to do the work, they don't want to do the work. But really there is no alternative. This is the best way to secure payment card data.