Q&A: Head of PCI council sees security standard as solid, despite breaches

GM Bob Russo defends payment card rules but acknowledges that 'interpretation issues' remain

The PCI Security Standards Council was established by the major credit card companies in September 2006 as an independent organization to manage the Payment Card Industry Data Security Standard. In an interview with Computerworld, general manager Bob Russo talks about the council's efforts to administer the PCI standard amid continuing concerns about credit and debit card security. And he defends the standard, despite the recent data breaches at Hannaford Bros. Co. and Okemo Mountain Resort.

What has the PCI council been up to? I started in 2007. My job in the first year was basically to brand the council. I think we did a reasonable job of branding the council and getting everybody to know what we are doing, and getting everybody to know the standard. My mouth wrote a lot of checks in 2007. So 2008 is when we have to start cashing those checks. Right in the first three months of this year, we have already begun to do this.

At the beginning of this year, we issued the PIN Entry Device standard. Then we released a new self-assessment questionnaire. That was the direct result of feedback from our stakeholders from the industry, from small merchants who said we can't answer 207 questions (which is the number of questions in the standard SAQ). So we broke up the SAQ into five distinct versions specific to what people are doing in terms of their businesses, down to where in some cases, you only have to answer 11 questions in order to get compliant.

This month, we are releasing the payment application standard. June 15 is when [PCI Section] 6.6 goes into effect (relating to Web application firewalls). September is when we are going to be releasing the next version of the data security standard.

What can you tell us about the next version? I can't really say if it's going to be a revision or if it's going to be a new version number. But there's going to be a lot of clarifications and a lot of guidance in it, because we still get questions about ambiguity.

One of the areas that will be touched on is probably wireless. There will be some updates. I can't tell you any specifics on what the updates are. But there will be some updates in the wireless area and probably in the application area and the preauthorization area as well -- but not so much that it's going to change the way you do business. Of course, if a major change has to be made, and if it puts people out of compliance, then we will make it a best practice for a certain period before making it a requirement.

We are also starting a QA program for our qualified security assessors. Right at this point, we are at the beginning stages. We'll probably begin the program sometime in the second quarter, and by the third quarter, we should be in full swing. We get a lot of questions from merchants about, "Why is this company charging $50,000 and why is this guy charging only $10,000? There has got to be something that one of them is doing differently." We are making sure everybody is on a level playing field, above and beyond what we already do. We already vet these companies, we make sure that they go through our training, make sure they are tested, make sure they are requalified every year. So it's above and beyond all this.

What PCI controls do people find most ambiguous? There's a lot of disagreement over compensating controls. Right now, people think that if they are not doing what the standard says, they have the ability to come out with a compensating control. Well, you do have the ability to do that. But a compensating control has to be both above and beyond what the standard calls for. The standard is the baseline. If you have a compensating control you want to submit, it has got to be above and beyond what the standard is calling for.

There are interpretation issues as well -- interpretation by the QSAs, interpretation by the merchants, interpretation by the brands. For some of the larger merchants that have been around for a while, you are talking about legacy systems that have been running their business quite well for 15 to 20 years. To try and retrofit these legacy systems with security is not an easy thing. It's easier to build a brand-new application and build the security into them right now than it is to take a legacy system and build in new security. The very last thing you want to do is break your business. So these really are the biggest concerns that merchants have.

Why aren't the Big Four accounting firms among your list of qualified assessors? They were at one point, weren't they? They had some liability issues that they weren't ready to sign up for. They look at it and say, "This is a small company here which is a QSA. Maybe it's a $2 million or a $3 million or a $10 million business, and here we have a multibillion-dollar business. Our liability is a lot worse." We are doing a couple of things behind the scenes to see if we can rectify that.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon