PCI Security Council seeks industry comments on current standards
Feedback will be considered for next version of PCI executive says
Computerworld - The group that administers the Payment Card Industry Data Security Standard (PCI DSS) wants feedback about how the current version of the standard, released last October, is working.
Retailers, financial institutions and others in the payment industry will be able to submit online comments between July 1 and Nov. 1 about how to improve the PCI DSS 1.2 standard, the PCI Security Standards Council (SSC) said this week. Over the next few months, the PCI SSC will hold two "community meetings" -- one in the U.S., the other in Europe -- where stakeholders can also weigh in.
Those comments will be reviewed to see what changes need to be made in the next version of the standard, which is due out in the fall of 2010, said Robert Russo, general manager of the PCI SSC. In addition, the PCI SSC has commissioned PricewaterhouseCoopers P(wC) to review technologies such as end-to-end encryption, chip and PIN and tokenization to see whether these technologies should be made part of PCI requirements in the future, Russo said.
PCI standards were created by Visa, MasterCard and other major credit card brands and are administered by the PCI SSC. All companies that accept payment cards are required to implement the 12 high-level security controls prescribed under the standards. Larger companies face significantly tougher compliance requirements than smaller firms.
The request for comments and the review of new technologies by PwC come amid growing criticism of PCI from several quarters. Earlier this month, for instance, representatives from seven trade groups called for the standards to be developed in a more open manner. The letter, signed by representatives from the National Retail Federation, the Merchant Advisory Group, the National Restaurant Association and others, suggested that the PCI SSC adopt a standards writing process similar to those used by open standards bodies such as ANSI. The groups also recommended that retailers be given enough time to implement revisions and asked for a reduction in the number of requirements prescribed under PCI.The letter added to a growing chorus of voices expressing concern about the burdensome and costly nature of PCI requirements and their effectiveness. At a House of Representatives hearing in April, U.S. lawmakers and representatives of the retail industry blasted PCI rules as being too static and wondered whether they were designed to protect card companies and banks from liability more than anything else.
Russo today pointed to the feedback process and the PwC review as efforts by the PCI security standard council to make the standards process inclusive, transparent and relevant. He noted that since its inception, the PCI council has relied heavily on input from its members and others in the payment industry to shape the standards.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts