When the Payment Card Industry Security Standards Council was formed five years ago to establish industry standards, General Manager Bob Russo figured about 50 to 60 merchants, associations or banks would participate. He was in for a surprise.
“We are now moving toward 700 participating organizations who have joined with the council in bringing forth the ideas on what they would like to see addressed,” Russo tells PaymentsSource.
The feedback fuels the creation of the council’s Special Interest Groups, which are comprised of organization representatives who address topics the council deems most pressing.
For the next topic deadline, organizations will submit ideas through the council’s website until the end of August. The council will conduct two meetings, one in the United States in September and the other in Europe in October, in which up to 2,000 representatives of participating organizations and qualified security assessors will attend and listen to “pitches” for which topics the Special Interest Groups will review, Russo says.
After the topic pitches, participants may go to the council website and vote for the top three they would like to see a Special Interest Group address, almost as if “voting for the All-Star game,” Russo says.
“The feedback the council gets is valuable for watching for trends or something that needs clarification,” Russo says. “In some cases, people don’t understand a new technology, and they need clarification or training with a standard already established.”
In March, the council addressed security concerns about credit card data given to telephone call centers. (
The council has many potential topics to address at any given time, but the process is streamlined by choosing the most important issues and then having the Special Interest Group narrow the focus, Russo says. They do so by establishing a timeline for what it intends to accomplish, whether it be more training for participants or the establishment of a new compliance standard.
Topics that could result in further study include mobile computing; the increase in criminals “skimming” credit card data at ATMs, gas pumps or other unattended payment or cash-access locations; or something more specific to a certain industry, such as convenient stores, if a trend unfolds regarding payments security, Russo explains.
As technologies emerge, many participants have questions about “scoping,” a term used to describe the process of determining which parts of a merchant’s payment system stores credit or debit card data and whether it is PCI-DSS compliant, Russo says.
The council serves as “a very good base for security and you can be compliant, but you have to use the tools that go with it,” Russo says.
In illustrating how noncompliant merchants may think they are compliant, Russo uses the example of a home being compliant because it has dead bolts installed, but the homeowner is not locking the bolts.
Joan Herbig, CEO of Alpharetta, Ga.-based ControlScan, a qualified security assessor for the council, puts a different twist on the dead-bolt analogy in describing the smaller merchants her company serves.
“Some of the people we are working with don’t even have the bolts and don’t know they are needed,” Herbig tells PaymentsSource. “Understanding the language of the technology and compliance and getting translation and clarification is critical.”
Herbig is satisfied with the way the council has taken a leadership role in keeping the Special Interest Groups on track and the process of the community meetings and voting for the key topics.
ControlScan works with small and midsize merchants processing up to 1 million credit card transactions per year to attain PCI compliance through an online merchant portal providing system analytics and instruction to fix vulnerable areas.
Dave Abouchar, ControlScan senior director of product management, feels the education provided by the PCI council is a starting point for merchants to attain and maintain compliance standards.
“Merchants who focus on security and have that in their DNA will have compliance naturally follow,” Abouchar says. “We have to raise the awareness of the security risks involved in running their businesses.”
The council establishes compliance guidelines for the industry related to three areas: the PCI Data Security Standard; the Payment Application Data Security Standard for applications “bought off the shelf,” such as a restaurant cash register terminal application that monitors supplies, but also takes credit card information; and the Payment Transaction Security standards, which started for terminals taking PIN card entries but has evolved to include any unattended payment terminals, such as those at gas pumps or in grocery stores.
In the United States, the federal government wants to see industries regulating themselves instead of it getting involved, Russo contends.
“The fact that we are approaching 700 participating organizations at this point is a testament that people understand what is going on” in the payments industry, Russo says.
The council recently developed an animated You Tube video for members to review the 12 requirements of the PCI Data Security Standard. (
American Express Co., Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. comprise the council’s founding global payments brand companies.
A policy-setting executive committee comprised of representatives from the five founding global payments brands leads the council, which also gets feedback from a board of advisors made up of representatives from participating organizations.
What do you think about this? Send us your feedback.
