Solution Providers’ Input Sought for PCI Security Standard Update

Security providers in the channel who are currently frustrated with
PCI DSS (Payment Card Industry Data Security Standard) regulations have
a chance to make a difference in the next iteration of credit card
security standards if they act quickly.
The PCI Security Standards Council is currently in the middle of a
feedback period in its drive to update PCI compliance standards by
October 1, 2010, and is seeking contributions and advice from all
organizations in the payment card ecosystem, regardless of whether they
belong to the council or not.

The payment card industry established the PCI Council in 2006 to help
steward the specific requirements laid out by PCI and to act as a
liaison between the credit card companies and those required to adhere
to PCI standards. It started its most recent push for feedback in July
as a part of its regular standards lifecycle, which mandates updates to
the standard to be published every 24 months in order to keep current
with the most pressing security threats.

“This is the opportunity for all of our participating organizations and
our assessment community as well as people who are not part of the
council to give us feedback on the standard,” says Bob Russo, general
manager of the council. “It is a pretty important time for us. We’re
all real busy, running at Mach 2 with our hair on fire trying to get
all of this information in time for our community meetings so that we
can discuss it.”

Stakeholders in the compliance process have through the end of October
to offer feedback and critiques, with some of the most valuable
information and feedback exchange scheduled to occur at two community
meetings, one in Las Vegas from Sept. 22-24 and one in Prague from Oct.
26-28.

“We will be discussing all of this feedback and debating with the
constituents about what they think needs to be in the next version,”
Russo says of the meeting’s agenda.

Attendees at the meetings will also hear from advisers at
PriceWaterhouseCoopers, from which the council commissioned a study on
hot-button issues such as end-to-end encryption and tokenization, the
results of which will also be incorporated into the next generation of
PCI standards.

Be they qualified security assessors, approved scanning vendors or
trusted advisers who help retail clients remediate after assessment and
scanning, channel partners play an extremely important role as
stakeholders in the PCI compliance ecosystem, Russo says. In the run-up
to the Las Vegas meeting in just a few weeks, North American channel
partners are particularly encouraged to provide their comments and
criticisms to fuel debate.

The meetings themselves are open only to participating organizations
within the council—a status encouraged among channel providers but
requiring a $2,500 annual investment. However, Russo says the council
wants to hear from all channel players that have something constructive
to add to the debate.

“We would like a critique of the current standard, so if there are
things that are missing that are particular to channel activities, we’d
like to hear about that—we’re not just limiting it to participating
organizations,” Russo says. “Certainly, if you’re a participating
organization it is a little bit easier because you can submit using an
online feedback form and you get access to people on the council, but
if you’re not you still have the opportunity to give us feedback by
e-mail.”

Once the feedback period ends in October, the council will compile all
of the information it has collected to come up with a draft of the new
standards. It will present this draft to the stakeholder community in
May for final review next summer before the standards are given the
green light next fall.