Digital Transactions Authoritative, insightful and timely information for payments professionals
Despite concerns over the recent hack at retailer TJX Cos. Inc. and other data breaches, the head of the organization overseeing the Payment Card Industry (PCI) data security standards is optimistic that card networks, merchants, and financial institutions are on the road to more secure payments. “Compliance is often a journey; sometimes it takes a business entity time to get that journey done,” says Seana Pitt, chairwoman of the PCI Security Standards Council LLC, a group established last September by the top five payment card network to administer the PCI standards governing transaction security. In a telephone interview with Digital Transactions News from the RSA Conference 2007 in San Francisco, a huge convocation of information-security professionals, Pitt says the council has been making tangible progress since its establishment. Membership is now up to 103 companies or organizations, some 20% based outside the U.S. Besides founders American Express Co., Visa International, MasterCard Worldwide, Discover Financial Services LLC, and Japan-based JCB International Credit Card Co. Ltd., members include merchants, processors, and other firms with a stake in electronic payments. Members will be listed next week on the council's Web site, www.pcisecuritystandards.org. The council is about to get its first full-time general manager. According to Pitt, a candidate this week accepted the council's offer for the position. An announcement is forthcoming. The general manager will head a staff of seven, not including about 70 others who work for the individual networks but devote some of their time to the Wakefield, Mass.-based council. Pitt, who is vice president of global merchant policies and data quality at AmEx, is nearing the halfway point in her one-year term as chairperson. Besides being responsible for oversight and upgrades to the PCI standards, the council certifies so-called Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). Actual enforcement of PCI rules, however, is still the responsibility of the individual card networks. Though some observers have said the council lacks teeth because of that (Digital Transactions News, Sept. 11, 2006), Pitt disagrees. The council serves as a resource for everyone, she says, and by leaving enforcement to the networks, the group can provide a “neutral forum” where “robust feedback about what's working and not working” can be exchanged, she asserts. The council also is assembling a 21-member board of advisors. Nominations will be open until March, according to Pitt.
