Those who want a say in future card-data security standards may send feedback to the Payment Card Industry Security Standards Council for the next six months, a council executive says.
The council is providing its next formal feedback period, part of a three-year cycle to update PCI security standards, from Nov. 1 through March 31. It will compile the results in April, says Bob Russo, council general manager.
“There is nothing to prevent feedback at any time, and our participating organizations are not shy about providing that feedback. But this time frame establishes our official feedback period through the portal on our website or through email,” Russo says.
However, many participating organizations tend to wait until the last minute to provide feedback, and the council is encouraging them to respond sooner to allow it more time to review comments, Russo says.
Organizations representing merchants, banks, processors, vendors, security assessors and others in the payment chain will be involved in the feedback period for the most recent version of the PCI-Data Security Standard and the Payment Application Data Security Standard, the council noted in a press release.
As of Dec. 31, the previous version of PCI-DSS and PA-DSS standards will be retired, and all compliance-validation efforts must follow the newest version, or 2.0, the council stated in the release.
A standards-review team of the council will examine compiled feedback about version 2.0 and place each comment in one of three categories–clarifications, additional guidance or evolving requirements–depending on its content, Russo explains.
“It could be feedback about a specific area of a current standard, or it could be requesting a clarification on a standard, or requesting a change,” Russo says. “Or it could be about an entirely new area that has not been looked at.”
After the review team places the feedback data in categories, council leaders will determine which special interest group in the council will study each topic, regardless of whether participating organizations request a new standard or just more guidance on an existing one, Russo says.
The council will create a spreadsheet of all of the feedback in specific categories to share with the participating organizations, allowing for even more feedback when the council conducts its 2012 community meetings in Orlando, Fla., and in either Paris, France, or Vienna, Austria, Russo says.
“We learned at this year’s community meetings that our participating organizations want more opportunity to network, so we are hoping to develop an application that will allow them to connect with each other in the hotel, and we are also going to secure extra conference rooms,” Russo adds.
The 2011 community meeting in Scottsdale, Ariz., drew large crowds primarily because of interest in mobile-payment security and that it was held shortly after the council released its new recommendations for advanced encryption (
Those involved with the council will continue to have “a big appetite” for knowledge related to advanced encryption–known as point-to-point encryption–and mobile payment security and the council’s recent guidance on mobile card readers, Russo believes (
“We’re going to continue to work in those areas to get more guidance out there,” Russo says.
The council provides a new online feedback tool on its website at
What do you think about this? Send us your feedback.
