Friday , March 29, 2024

New Council Updates PCI, Looks to Foster Closer Industry Cooperation

The new organization set up by the leading payment card networks to administer the Payment Card Industry (PCI) data-security rules should lead to closer coordination on security matters among card networks, merchants, and vendors, according to one of the organization's spokesmen. Announced Thursday, the organization has already issued an update on PCI. “The expectation is that this is highly collaborative between the brands and the network constituencies,” says Robert Tourt, vice president of network services at Riverwoods, Ill.-based Discover and Discover's representative on the body, dubbed the PCI Security Standards Council LLC. “The goal here is to reduce fraud rates and safeguard transaction information.” From now on, it will be the new council that develops unified standards for all the card networks, though each network will be responsible for enforcing them, including with fines for offending merchant acquirers or other responsible parties. Tourt says PCI has promoted communication and information-sharing among the networks, but he foresees even more cooperation with the new council. The organization is a joint creation of Visa International, MasterCard Worldwide, American Express Co., Morgan Stanley's Discover Financial Services, and Japan-based JCB, each of whom has one representative on its governing board. A council spokesperson tells Digital Transactions News that the Wakefield, Mass.-based body is looking to hire an executive director soon as well as a small staff. News of an incident at JPMorgan Chase & Co. seemingly underscored the new council's purpose. The banking giant announced Thursday it had inadvertently discarded tapes containing card-account data related to some 2.6 million customers of cobranded and proprietary cards issued for electronics chain Circuit City. The data on about half of these accounts included Social Security numbers. The bank said it believed the tapes were crushed in a compactor and buried in a landfill, and so it doubted the incident would lead to any account compromises. But it said it is notifying each of the cardholders, and for those whose records included Social Security numbers, it will pay for one year of credit monitoring. Even though overall fraud rates are less than half of what they were in the early 1990s, database breaches and other forms of high-tech fraud have battered the card industry since the Internet became a major communications and commercial medium in the mid-1990s. In part because fraudsters make few distinctions by brand, the networks put their differing security standards under the PCI umbrella in late 2004 with the release of version 1.0 of its rules, which cover a dozen major areas of security and call for such measures as firewalls, up-to-date anti-virus programs, and avoidance of default passwords. But in reality, PCI has been a highly decentralized endeavor, with each network still in effect administering its own, proprietary security measures. As its first action, the council set forth an updated set of rules called PCI Data Security Standard version 1.1. The new version mostly clarifies certain parts of version 1.0, according to the spokesperson. It also addresses evolving security threats and recommends that merchants and vendors take action to fortify application- and network-level security. “The payment brands that founded the council are committed to ensuring the ongoing development of data security standards that are both efficient and effective,” Seana Pitt, an AmEx vice president serving as the council's first chairperson, said in a statement. “The creation of this council is a significant step forward in protecting cardholder information and it underscores the critical nature of this effort.” According to Thursday's announcement, the council's main goals, in addition to developing security standards for safeguarding account information, include reducing costs and implementation times for new standards, and maintaining a list of qualified vendors of security products and services. Education and training is another function; the council will certify so-called Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) on behalf of the payment networks. The council also will have an advisory forum consisting of merchants, banks, point-of-sale equipment makers, and others. These so-called participatory organizations must pay a $2,000 annual fee and can nominate members for the advisory board.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions