Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Card Firms Loosen Grip on Data Rules

Many businesses began paying serious attention to the rules only after credit card companies warned last December that they would begin assessing stiff fines for noncompliance this autumn. Since then, supporting the standard has become a major implementation issue

Large retailers and other key stakeholders in the payment card chain are finally being given a chance to help guide the development and modification of the data security standard imposed on them by the major credit card companies.

Wal-Mart Stores and UK-based Tesco Stores were elected along with 12 other organizations to be the first members of a newly created board of advisers to the PCI Security Standards Council. The advisory board members were chosen by about 200 retailers, banks and other companies that belong to the council, an independent body that was established last September to manage ongoing development of the security standard.

Until now, PCI has been crafted by the five credit card companies that created it: Visa International, MasterCard, American Express, Discover Financial Services and Tokyo-based JCB Co.

Seana Pitt, an executive at American Express who chairs the PCI council, said the group's executive committee hopes that the formation of the advisory board will help reduce the "confusion and resistance" swirling around the security standard. The concerns about PCI stem at least partly from the fact that the companies directly affected by the requirements haven't had "a seat at the table" until now, Pitt said.

According to Pitt, the advisory board will be responsible for collecting industry wide feedback on PCI, which is formally known as the Payment Card Industry Data Security Standard. She said the board is also expected to influence future enhancements to the standard.

One of the members of the advisory board is PayPal, a unit of eBay. Michael Barrett, PayPal's chief information security officer, called the board's formation a step in the right direction for PCI.

"The PCI standard is extremely important in protecting the payment card industry, but it isn't a finished work of beauty yet," Barrett said. "It's a work in progress. It has rough spots that need to be polished down." And that is best done by people who have had experience implementing it, he said.

Practical advice

Barrett said PayPal already complies with the security rules and will be able to provide the PCI council's executive committee — made up of credit card company representatives — with real-world guidance about the standard. "We've seen where it works and where it doesn't, and can therefore make suggestions for tweaking the language here or driving it in a slightly different direction there," he said.

Other advisory board members include Bank of America, JPMorgan Chase, British Airways and APACS Administration, a trade group for payment services companies in the UK. The PCI council's executive committee will select seven more members at a later date. The goal is to ensure that the 21-member board has enough geographic and stakeholder diversity, Pitt said.

The PCI standard prescribes a set of 12 broad security controls that all entities accepting credit or debit card transactions are contractually obligated to implement. The requirements went into effect in June 2005 and cover functions such as data encryption, transaction logging and monitoring, and strong end-user authentication and access controls.

But many businesses began paying serious attention to the rules only after credit card companies warned last December that they would begin assessing stiff fines for noncompliance this autumn. Since then, supporting the standard has become a major implementation issue. One of the big complaints from companies is that the requirements stipulate specific controls instead of broad security objectives.

"PCI effectively is a proprietary standard," said Colin Whittaker, head of security at APACS. Now, he added, the PCI council "wants to get wider engagement in place" to ensure that the security rules meet the needs of businesses worldwide.

"We need to make sure the standard remains relevant to the emerging threat environment," Whittaker said. "And we need to make sure that it is sufficiently responsive and appropriate to all markets where payment cards are used, because there are different threat profiles [in different regions]."

"There's a lot of pent-up frustration in the market about not being able to help shape the standard," said Avivah Litan, an analyst at Gartner. For instance, there is considerable confusion about when companies can use so-called compensating controls in lieu of the actual PCI requirements, she said.

Similarly, Litan said, companies are looking for better guidance on prioritizing the controls mandated by PCI.

The advisory board should be able to put pressure on the PCI council's executive committee to change the current situation, Litan said. But, she cautioned, the advisory board's charter doesn't touch upon PCI implementation and enforcement issues.

Currently, each of the five credit card brands has its own implementation, auditing and enforcement practices, and it's a huge challenge for businesses to keep up with all of them, Litan said. What's really needed, she said, is a way to rationalize the implementation of the PCI standard.

"The [advisory] board is a great communication vehicle," she said. "But there are some immediate problems that aren't being solved here."

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: American Express, British Airways, eBay, Gartner, Mastercard, PayPal, Tesco, Visa, Visa International, Wal-Mart

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Reconciling Datacenter consolidation and security: It starts with an integrated approach
    There is no question that datacenter consolidation has gone mainstream. A recent IDG Research survey of IT managers found that three out of four organizations are in the midst of, or just completing, consolidation of multiple applications or systems onto a smaller number of servers. Improving performance and availability was the key driver of consolidation efforts for 85% of those surveyed.
    Learn more »
  • Why Two Thirds of Enterprise Architecture Projects Fail
    This is the conclusion of a study for the R otterdam U niversity carried out by J onathan B roer in the summer of 2008, ordered by BPM and E A software vendor IDS S cheer. B roer questioned 161 respondents from 89 organizations representing a range of industries about their vision and implementation of the enterprise architecture concept.
    Learn more »
  • Protecting Generation Web
    From data privacy to personal safety issues, cyber-bullying, inappropriate content and malware, schools are facing an increasingly difficult task when it comes to allowing young people to spread their online wings without compromising their safety and personal development. The reality that most schools are catering to the needs of mixed age groups and abilities, and it’s easy to understand why a simple stop and block approach won’t work. Learning environments are, by nature, flexible. It stands to reason that the IT resources used in them should be flexible too. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments