Retailers and other major stakeholders in the payment card chain finally have an opportunity to guide enhancements to the Payment Card Industry (PCI) data security standard mandated by the five major credit card companies.
This week 14 organisations - including retailers Wal-Mart Stores and Tesco Stores of the United Kingdom - were elected as the first members of the newly created Board of Advisors to the PCI Security Standards Council (PCI SSC).
They were chosen by members of a 200-strong community of retailers, banks and other organisations belonging to the PCI SSC, an independent body established in September 2006 by the credit card companies to manage the PCI standard worldwide.
The organisations will be responsible for collecting industry-wide feedback on the data security standard and influencing changes to it, said Seana Pitt, chair of the PCI SCC. Until now, the PCI standard has been entirely developed by just five credit card companies: Visa International, MasterCard Worldwide, American Express, Discover and the Japan Credit Bureau.
Setting up the advisory board will address some of the "confusion and resistance" from companies directly affected by PCI that did not have a "seat at the table," Pitt said.
"One of the key deliverables when we launched the council was to ensure that we had robust feedback from the marketplace to help us develop the standard. The election of our board of advisors is a key milestone."
Other members of the advisory board include British Airways, Bank of America, JP Morgan Chase and APACS, the UK Payments Association. Seven more members, selected by the PCI security standards council will be added later. The goal is to ensure that the 21-member board has geographic and stakeholder diversity, Pitt said.
Michael Barrett, the CIO at PayPal and a member of the advisory board, called its creation a good step. "The PCI standard is extremely important in protecting the payment card industry, but it isn't a finished work of beauty yet. It's a work in progress. It has rough spots that need to be polished down" by people with experience implementing it.
As an advisory board member that already complies with PCI requirements, PayPal can offer real-world guidance on the standard to the council, he said. "We've seen where it works and where it doesn't and can therefore make suggestions for tweaking the language here or driving it in a slightly different direction there."
PCI basically prescribes a set of 12 broad security controls that all entities accepting credit or debit card transactions are required to implement. The controls cover a wide range of issues, including encryption, transaction logging and monitoring as well as strong authentication and access controls. The standard went into broad effect in June 2005 and since then has become a major implementation issue - especially for larger companies that face heavy fines and increased transaction rates for non-compliance.
The creation of the advisory board and particularly the presence of retail heavyweights such as Wal-Mart and Tesco will ensure that all stakeholders have a voice, said Avivah Litan, an analyst with Gartner. "There's a lot of pent-up frustration in the market about not being able to help shape the standard," Litan said. The advisory board should be able to push the board of directors at the PCI security standards council to change that situation, she said.
Areas that could benefit from input include the issue of compensating controls, Litan said. Currently, there is considerable confusion about where and when companies can use compensating controls in lieu of PCI requirements. Similarly, companies are looking for better guidance on prioritising the controls they need to implement, she said.
"The standard doesn't address the question of 'Where do you begin?’," she said. "It is too detailed in some areas and really general in some areas," Litan added.
"I think we need to do a number of things," said Colin Whittaker, head of security at APACS. "We need to make sure the standard remains relevant to the emerging threat environment. We need to make sure that it is sufficiently responsive and appropriate to all markets where payment cards are used because there are different threat profiles."
The move by the PCI standards council to solicit feedback from stakeholders is similar to what other international standards bodies have done, Whittaker said. "PCI effectively is a proprietary standard. The council wants to get wider engagement in place" to keep it relevant, he said.
The newly created advisory board's charter does not touch upon PCI implementation and enforcement issues, which are perhaps more important in the short-term than standards-related issues.
Currently each of the five credit card brands has its own implementation, auditing and enforcement practices and companies face huge challenges keeping up with all of them.