New PCI Standard Council To Add Clarity, Industry Input

  On Sept. 7, five major card networks announced the much-anticipated founding of a formal council to oversee the Payment Card Industry Data Security Standard. The standard imposes strict rules on how cardholder data are handled and stored to combat debit and credit card fraud stemming from lost or stolen merchant data.
  One representative each from American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International will have a seat on what now is formally called the PCI Security Standards Council LLC. The council will work as an advisory group to manage the PCI standard, but the networks represented will be responsible for enforcing compliance among their users.
  Seana Pitt is the council's chairperson and is AmEx vice president, merchant policy and data quality. Also represented on the council are Rob Tourt, Discover vice president, network services; Aki Nakatani, JCB senior vice president, product strategy; Bruce Rutherford, MasterCard vice president, advanced payments; and Brian Buckley, Visa senior vice president, international risk management.
  The council is inviting input from other payments-industry participants, including financial institutions, transaction processors, merchants, and equipment and services vendors. It will accept suggestions from such organizations on future changes to the standard and let them review and comment on proposed changes. The organizations also can elect or serve on the council's board of advisors.
  Such industrywide participation will improve the standard and increase compliance, Pitt says. "A big change is going to be soliciting feedback from stakeholders in the marketplace, to get them at the table to say, 'what can we do next?'" she says.
  The council's first action was to announce version 1.1 of the PCI standard. A notable change in the standard's language is the recognition of reasonable controls that compensate for slight deviations from the letter of the standard.
  Such deviations have been allowed informally but have not been recognized as legitimate, says Avivah Litan, senior analyst at consulting firm Gartner Inc. "[The PCI standard] was never very clear about it, but everyone did it anyway," she says. "So they are finally saying, yes, you can have compensating controls."
  One example of a reasonable set of controls could include a merchant that does not encrypt data but segments its network, keeps card data "off to the side" and restricts access very tightly, Litan says.
  Another change in version 1.1 is the stated best practice that payment-system users scan not just their overall networks for vulnerabilities but also individual system applications.
  Such scans will address emerging threats such as insertions by hackers of malicious code into applications, especially into Internet-based payment systems. The scans will remain a recommended best practice until June 30, 2008, when they will become mandatory.
  The full standard can be viewed at the council's Web site, www.pcisecuritystandards.org. The original PCI standard was released in December 2004.
  (c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com