Acceptance growing for PCI security standard

Acceptance growing for PCI security standard
Acceptance growing for PCI security standard 

By Matt Hines
April 10, 2008

The leading man for the payment card industry's data security standard 
claims that most companies affected by the mandate have begun to embrace 
the regulation, rather than debate or deny its merits.

In the last year, perceptions of the PCI DSS security requirements -- 
authored by the world's largest credit card issuers and aimed at forcing 
companies that handle account data to sufficiently protect their 
sensitive information and IT systems -- have shifted dramatically, with 
most organizations making a genuine effort to understand and comply with 
the rules, said Bob Russo, general manager of the PCI Security Standards 

Differing factions still voice concerns over specific elements of the 
PCI regulation, largely around areas of the mandate that they feel are 
too prescriptive or vague, but the process of moving the standard 
forward has gained considerable momentum both in the United States, and 
around the globe, the PCI Council chief maintains.

"You'll always have people who resist when they are told that they have 
to do something, but most seem to agree that there is nothing alien in 
the three standards that we've issued thus far," Russo said. "I think 
that's because we've been able to establish that PCI is a strong 
security standard and this is work that people need to do anyways. Most 
of the remaining discord is related to the fact that people don't want 
to rip out and replace legacy systems."

In fact, close to 100 percent of all the merchants, card processors, and 
related businesses that qualify as "tier 1" PCI DSS targets have already 
become compliant with the standard, and many smaller organizations are 
well on their way, he said.

The PCI standard has come under additional scrutiny of late in light of 
a massive data breach at supermarket chain Hannaford Brothers, the first 
publicly reported incident of its kind at a business that claims to have 
been certified as PCI compliant.

However, the questions that the event has spurred -- about everything 
from the regulation's efficacy at preventing breaches to the issue of 
whether or not PCI compliance assessors will be held liable for 
incidents at certified companies -- will ultimately aid in the continued 
adoption and evolution of the measure, Russo said.

Russo said it's still unclear to what extent Hannaford was actually 
certified, or attentive in maintaining its compliance with the mandate. 
It also illustrates to other businesses that they will need to remain 
focused on related data security issues at all times, not merely when 
they know that they are being audited.

"The truth is that achieving compliance is a moment in time, it's a 
snapshot, and you need to be vigilant and live with these issues on a 
daily basis; you can't get your compliance certificate and put it in a 
drawer and feel satisfied," Russo said. "It's still pretty unclear 
exactly what happened [at Hannaford], but the upside is that they've 
said they'd like to share information about their incident, and feedback 
from everyone involved in this process has been crucial in making our 
efforts successful."

The biggest challenge in pushing PCI DSS further forward relates to 
issues of education, including the Council's effort to aggressively 
expand adoption of the standard outside of U.S. borders.

One of Russo's most recent personal victories to that end was when a 
representative for a French banking association, who had repeatedly 
challenged the executive in public forums over the need for DSS, shook 
his hand at an industry event and told him the organization was moving 
to adopt the mandate.

However, one of the biggest problems related to payment card industry 
security remains consumers' lack of understanding in differentiating 
between credit account fraud and identity theft.

The mainstream media has fueled the problem, with Russo expressing 
frustration that his interview was cut from a recent episode of the CBS 
news program "60 Minutes" in favor of what he labeled "sensationalistic 
fear-mongering" about consumers suffering long-term affects of identity 
theft, rather than focusing on real fraud -- the price of which is being 
almost entirely shouldered by the credit card industry that forms the 

Looking forward, the PCI Council will focus on further refining 
individual elements of the standard -- with an updated version of the 
rules due out in September 2008 -- and by vetting the processes used by 
companies seeking certification.

"It often takes years for these types of efforts to gain adoption, but 
we can't ask companies to break their business to do so. In some cases 
there is a need to move slowly, and we need to tailor the standard to 
better meet up with different business models," sad Russo. "But the 
merchants are truly getting onboard. They hear all the horror stories 
and they're working to protect themselves from becoming the next 
headline. Feedback from everyone involved will continue to be crucial to 
our future progress, and we're trying to listen to as many people's 
ideas as possible."

Matt Hines is a senior writer at InfoWorld.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods