The New PCI Council: Does It Have Enough Teeth?

The creation of the new PCI Security Standards Council LLC by the five leading payment card brands represents a big step forward in enhancing credit and debit card security, but it doesn't go far enough, one analyst tells Digital Transactions News. The council, a creation of American Express Co., Visa International, MasterCard Worldwide, Discover Financial Services LLC, and Japan-based JCB International Credit Card Co. Ltd., was announced last week (Digital Transactions News, Sept. 7). The entity is charged with oversight of the Payment Card Industry (PCI) security standards first promulgated nearly two years ago. The council's first action was to issue an update to the standards, which address transaction security and proper controls for safeguarding cardholder information. “The PCI council and the update they announced [Thursday] are long overdue and definitely solved some of the problems, not all of them,” says Avivah Litan, senior analyst at Stamford, Conn.-based technology research and consulting firm Gartner Inc. The main potential flaw is that while the council will be responsible for developing security standards going forward, each of the five brands will be responsible for enforcement. “The bigger problem is each brand can enforce them differently,” says Litan. “They have their own guidelines.” There are differences among the brands, for instance, in the volume of transactions, or tiers, that are to be covered by certain security standards, she says. But Seana Pitt, the chairperson of the PCI Security Standards Council and vice president of global merchant policy and data quality at American Express, believes the common goal to enhance security?in part by making all network guidelines uniform?will negate that issue. “I don't believe there will be a pitfall in that area,” she tells Digital Transactions News. “Security is a critical issue. The Security Standards Council is the message that we have come together. Everybody has a stake.” Whereas merchant acquirers, processors, payment gateways, and other entities that touch card transactions currently are subject to security audits by each card brand, the council's objective will be to make one audit acceptable to all networks. “Do the audit once, make five copies,” says Pitt. “We hear from merchants that, 'if I do this thing, I'm not certain if it will apply to the other brands.'” Exactly when that scenario will come about, however, isn't clear yet. One of the council's first items of business is the hiring of a general manager. A recruiting firm already is hunting for one, but there isn't a specific date for the executive to be in place. Pitt says it will be “as soon as possible.” The council also will play a big role in security training and certification for payments-related companies. The firm will take over by year's end the certification of so-called Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), now done by Visa and MasterCard. Merchants, processors, banks, gateways, point-of-sale equipment makers, and others can have direct input into future PCI revisions by joining the council as participating members that can nominate members to an advisory board. Such members will be recruited from around the world, Pitt says. Litan says the council was on the mark with its revisions of the current standards, which clarify that if a covered entity can't meet the letter of a requirement on a particular security matter, compensatory measures will suffice if they achieve the desired level of security. “They finally recognized that compensating controls are legitimate,” she says.