Solution Providers' Input Sought for PCI Security Standard UpdateBy Ericka Chickowski | Posted 2009-08-27 Email Print
Solution providers who have been frustrated by the PCI DSS now have the chance to voice their positions and request changes. The PCI Security Standards Council is currently soliciting feedback as it prepares to update the standard.
Security providers in the channel who are currently frustrated with
PCI DSS (Payment Card Industry Data Security Standard) regulations have
a chance to make a difference in the next iteration of credit card
security standards if they act quickly.
The PCI Security Standards Council is currently in the middle of a feedback period in its drive to update PCI compliance standards by October 1, 2010, and is seeking contributions and advice from all organizations in the payment card ecosystem, regardless of whether they belong to the council or not.
The payment card industry established the PCI Council in 2006 to help steward the specific requirements laid out by PCI and to act as a liaison between the credit card companies and those required to adhere to PCI standards. It started its most recent push for feedback in July as a part of its regular standards lifecycle, which mandates updates to the standard to be published every 24 months in order to keep current with the most pressing security threats.
"This is the opportunity for all of our participating organizations and our assessment community as well as people who are not part of the council to give us feedback on the standard," says Bob Russo, general manager of the council. "It is a pretty important time for us. We're all real busy, running at Mach 2 with our hair on fire trying to get all of this information in time for our community meetings so that we can discuss it."
Stakeholders in the compliance process have through the end of October to offer feedback and critiques, with some of the most valuable information and feedback exchange scheduled to occur at two community meetings, one in Las Vegas from Sept. 22-24 and one in Prague from Oct. 26-28.
"We will be discussing all of this feedback and debating with the constituents about what they think needs to be in the next version," Russo says of the meeting’s agenda.
Attendees at the meetings will also hear from advisers at
PriceWaterhouseCoopers, from which the council commissioned a study on
hot-button issues such as end-to-end encryption and tokenization, the
results of which will also be incorporated into the next generation of
Be they qualified security assessors, approved scanning vendors or
trusted advisers who help retail clients remediate after assessment and
scanning, channel partners play an extremely important role as
stakeholders in the PCI compliance ecosystem, Russo says. In the run-up
to the Las Vegas meeting in just a few weeks, North American channel
partners are particularly encouraged to provide their comments and
criticisms to fuel debate.
The meetings themselves are open only to participating organizations
within the council—a status encouraged among channel providers but
requiring a $2,500 annual investment. However, Russo says the council
wants to hear from all channel players that have something constructive
to add to the debate.
"We would like a critique of the current standard, so if there are things that are missing that are particular to channel activities, we’d like to hear about that—we’re not just limiting it to participating organizations," Russo says. "Certainly, if you’re a participating organization it is a little bit easier because you can submit using an online feedback form and you get access to people on the council, but if you’re not you still have the opportunity to give us feedback by e-mail."
Once the feedback period ends in October, the council will compile all of the information it has collected to come up with a draft of the new standards. It will present this draft to the stakeholder community in May for final review next summer before the standards are given the green light next fall.