Retailers and other major stakeholders in the payment card chain finally have an opportunity to guide enhancements to the Payment Card Industry (PCI) data security standard mandated by the five major credit card companies.
This week, 14 organizations -- including retailers Wal-Mart Stores Inc. and U.K.-based Tesco Stores Ltd. -- were elected as the first members of the newly created board of advisers to the PCI Security Standards Council (PCI SSC). All were elected by members of a 200-strong community of retailers, banks and other organizations belonging to the PCI SSC, an independent body established in September by the credit card companies to manage the PCI standard worldwide.
The organizations will be responsible for collecting industrywide feedback on the data security standard and influencing changes to it, said Seana Pitt, who chairs the PCI SCC. Until now, the PCI standard has been entirely developed by just five credit card companies: Visa International, MasterCard Worldwide, American Express Co., Discover and the Japan Credit Bureau.
Setting up the advisory board will address some of the "confusion and resistance" from companies directly affected by PCI that did not have a "seat at the table," Pitt said. "One of the key deliverables when we launched the council was to ensure that we had robust feedback from the marketplace to help us develop the standard. The election of our board of advisers is a key milestone."
Other members of the advisory board include British Airways PLC, Bank of America Corp., JPMorgan Chase & Co. and APACS Administration Ltd., a U.K. payments association. Seven more members, to be selected by the PCI council's executive committee, will be added later. The goal is to ensure that the 21-member board has geographic and stakeholder diversity, Pitt said.
Another advisory board member is eBay Inc.'s PayPal unit. Michael Barrett, PayPal's chief information security officer, called the formation of the advisory board a good step.
"The PCI standard is extremely important in protecting the payment card industry, but it isn't a finished work of beauty yet," Barrett said. "It's a work in progress. It has rough spots that need to be polished down." And that is best done by people who have experience in implementing the standard, he said.
As an advisory board member that already complies with PCI requirements, PayPal can offer real-world guidance on the standard to the council, he said. "We've seen where it works and where it doesn't, and can therefore make suggestions for tweaking the language here or driving it in a slightly different direction there."
PCI basically prescribes a set of 12 broad security controls that all entities accepting credit or debit card transactions are required to implement. The controls cover a wide range of issues, including encryption, transaction logging and monitoring as well as strong authentication and access controls. The standard went into broad effect in June 2005 and since then has become a major implementation issue -- especially for larger companies that face heavy fines and increased transaction rates for noncompliance.
The creation of the advisory board and particularly the presence of retail heavyweights such as Wal-Mart and Tesco will ensure that all stakeholders have a voice, said Avivah Litan, an analyst at Gartner Inc. "There's a lot of pent-up frustration in the market about not being able to help shape the standard," Litan said. The advisory board should be able to push the PCI council's executive committee to change that situation, she said.
Areas that could benefit from input include the issue of so-called compensating controls, Litan said. Currently, there is considerable confusion about where and when companies can use compensating controls in lieu of the actual PCI requirements. Similarly, companies are looking for better guidance on prioritizing the controls they need to implement, she said.
"The standard doesn't address the question of, 'Where do you begin?'" she said. "It is too detailed in some areas and really general in some areas," Litan said.
"I think we need to do a number of things," said Colin Whittaker, head of security at APACS. "We need to make sure the standard remains relevant to the emerging threat environment. We need to make sure that it is sufficiently responsive and appropriate to all markets where payment cards are used because there are different threat profiles."
The move by the PCI standards council to solicit feedback from stakeholders is similar to what other international standards bodies have done, Whittaker said. "PCI effectively is a proprietary standard. The council wants to get wider engagement in place" to keep it relevant, he said.
"I think it is very significant for the PCI security council to expand its participation," said Alan Bird, vice president of business development at Cyber-Ark Software Inc., a security vendor in Newton, Mass. Stakeholders are "able now to feel that there are people in the council who represent their interest and who have an elevated status," said Bird, who is also treasurer of a PCI Security Vendor Alliance group.
The newly created advisory board's charter does not touch upon PCI implementation and enforcement issues, which are perhaps more important in the short term than standards-related issues, Litan said.
Right now, each of the five credit card brands has its own implementation, auditing and enforcement practices, and companies face huge challenges keeping up with all of them, Litan said. What's really needed is a way to rationalize the implementation of PCI standards across all of the brands. As it stands, the board of advisers will have no say in this issue.
"The board is a great communication vehicle" for standards-related issues, she said. "But there are some immediate problems that aren't being solved here."