Security providers in the channel who are currently frustrated with PCI DSS (Payment Card Industry Data Security Standard) regulations have a chance to make a difference in the next iteration of credit card security standards if they act quickly.
The PCI Security Standards Council is currently in the middle of a feedback period in its drive to update PCI compliance standards by October 1, 2010, and is seeking contributions and advice from all organizations in the payment card ecosystem, regardless of whether they belong to the council or not.

The payment card industry established the PCI Council in 2006 to help steward the specific requirements laid out by PCI and to act as a liaison between the credit card companies and those required to adhere to PCI standards. It started its most recent push for feedback in July as a part of its regular standards lifecycle, which mandates updates to the standard to be published every 24 months in order to keep current with the most pressing security threats.

“This is the opportunity for all of our participating organizations and our assessment community as well as people who are not part of the council to give us feedback on the standard,” says Bob Russo, general manager of the council. “It is a pretty important time for us. We're all real busy, running at Mach 2 with our hair on fire trying to get all of this information in time for our community meetings so that we can discuss it.”

Stakeholders in the compliance process have through the end of October to offer feedback and critiques, with some of the most valuable information and feedback exchange scheduled to occur at two community meetings, one in Las Vegas from Sept. 22-24 and one in Prague from Oct. 26-28.

“We will be discussing all of this feedback and debating with the constituents about what they think needs to be in the next version,” Russo says of the meeting’s agenda.

Attendees at the meetings will also hear from advisers at PriceWaterhouseCoopers, from which the council commissioned a study on hot-button issues such as end-to-end encryption and tokenization, the results of which will also be incorporated into the next generation of PCI standards.

Be they qualified security assessors, approved scanning vendors or trusted advisers who help retail clients remediate after assessment and scanning, channel partners play an extremely important role as stakeholders in the PCI compliance ecosystem, Russo says. In the run-up to the Las Vegas meeting in just a few weeks, North American channel partners are particularly encouraged to provide their comments and criticisms to fuel debate.

The meetings themselves are open only to participating organizations within the council—a status encouraged among channel providers but requiring a $2,500 annual investment. However, Russo says the council wants to hear from all channel players that have something constructive to add to the debate.

“We would like a critique of the current standard, so if there are things that are missing that are particular to channel activities, we’d like to hear about that—we’re not just limiting it to participating organizations,” Russo says. “Certainly, if you’re a participating organization it is a little bit easier because you can submit using an online feedback form and you get access to people on the council, but if you’re not you still have the opportunity to give us feedback by e-mail.”

Once the feedback period ends in October, the council will compile all of the information it has collected to come up with a draft of the new standards. It will present this draft to the stakeholder community in May for final review next summer before the standards are given the green light next fall.