Merchant Groups Ask for Broad Changes in Letter to PCI’s Overseer

They're mad as hell, but whether they're going to take it any more isn't quite as clear. That's the essence of a letter seven merchant trade groups sent Tuesday to the PCI Security Standards Council and the five general-purpose payment card networks. The merchants want more input when the Payment Card Industry data-security standard, or PCI, is revised, and they also want changes that would ease their compliance burden with the lengthy set of rules that card-accepting merchants must meet. Merchants have complained, mostly in private, about PCI ever since Visa, MasterCard, American Express, Discover, and JCB created the PCI Council in 2006 to oversee a uniform set of security requirements. The most vocal protests have come from retailers, notably the National Retail Federation. But the June 9 letter shows that hotels and restaurants are willing to go public with their dissatisfaction. Signatories are the top or senior executives from the NRF, the American Hotel and Lodging Association, the International Franchise Association, the National Restaurant Association, the National Council of Chain Restaurants, the National Association of Convenience and Petroleum Retailing, and the Merchant Advisory Group, an amalgamation of large card acceptors across a number of industries. “[Merchants] take data security seriously and have spent in excess of $1 billion on PCI DSS compliance as part of their security programs,” the letter says. “However, it is becoming increasingly difficult for our members to comply with the program's requirements in a cost-effective and timely manner, especially in this difficult economic climate.” The letter asks the Wakefield, Mass.-based PCI Council to: –Incorporate a formal review and comment phase on PCI revisions by stakeholders before they are issued; –Ensure that the time between issuance of a revision and its effective date is appropriate for merchants large and small. The merchants want PCI Version 1.1's sunset date extended to Dec. 31 (Version 1.2 was released Oct. 1 and Version 1.1's sunset date was last Dec. 31, though enforcement is up to the card networks); –Restructure PCI's approximately 200 detailed requirements to reduce companies' maintenance and reporting burdens; –Require networks and issuers to give merchants the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to store credit card information for dispute resolution. The current process puts customers at unnecessary risk, the letter says. In a statement issued Wednesday, the PCI Council said it “actively seeks and encourages collaborative input on the PCI DSS from all interested parties.” The statement notes that financial institutions, processors, merchants and vendors can become so-called participating organizations?there are more than 600 worldwide?that in turn elect members to the Council's Board of Advisors. The Council on July 1 will start the feedback stage of its two-year process of developing the next PCI revision, the statement says. “We encourage all participating-organization stakeholders, including the letter's authors, to actively participate in that feedback process,” it says. The merchant groups also asked the PCI Council to adopt something similar to what they say is the more open rules-setting process of the Accredited Standards Committee X9 (ASC X9). The American National Standards Institute (ANSI), a body that sets voluntary standards for many industries, accredits ASC X9 (Digital Transactions News, April 30). “As ASC X9 also maintains data-security standards, we recommend the [PCI Council] partner with them in an effort to create a single standard that could be used by all,” the letter says. The groups also said that ASC X9 is looking at so-called “end-to-end” data encryption, something they applauded. While the card networks say end-to-end encryption isn't a panacea for security problems (Digital Transactions News, April 24), the PCI Council says it “recently issued an RFP [request for proposals] on emerging technologies, including further research into end-to-end encryption, and anticipates a detailed analysis and position paper presented to us by the end of the summer.” The merchants didn't threaten aggressive action such as a lawsuit or payment-card boycott, a virtual impossibility for many businesses nowadays. But a spokesperson for the Washington, D.C.-based NRF says merchants have other options if the PCI Council and card networks don't heed their concerns, including possible support for federal action to make the rules more palatable. He notes that a subcommittee of the U.S. House of Representatives' Homeland Security Committee this spring investigated the impact of PCI. “Legislation wouldn't necessarily be out of the question in terms of making PCI less complicated,” he says. One long-time observer of the payments-security scene, analyst Avivah Litan of Gartner Inc., says by e-mail that the number and influence of the trade groups signing the letter “is significant and they are justifiably asking for an open and reasonable standards-setting and implementation process.” She calls the current process “closed and archaic.” Litan adds that the merchants' requests not to hold data is reasonable “and should have been accommodated years ago.”