With its first top executive in place, an industry consortium formed last year to promote the Payment Card Industry data-security standard (PCI) is getting set to elect a board of advisors, launch educational programs for merchants, and conduct a meeting aimed at updating the security rules. The announcements come in the wake of major data breaches at two retail chains and amid concerns at banks and processors that many small merchants remain either unaware of?or flummoxed by?PCI's requirements. At the same time, merchants and other observers note the complexity of PCI compliance. And compliance levels for the standard, which in its current form is about two years old but claims antecedents with all of the major card networks, remain below 50% among the largest merchants. Robert M. Russo, a former security-software executive who took over in February as general manager of the PCI Security Standards Council LLC, says high-profile data breaches such as those earlier this year at TJX Cos. Inc. and Stop & Shop Supermarket Cos. at the very least help get the word out about the pressing need for PCI, a set of rules mandating such steps as firewalls, anti-virus protection, regular password changes, and security scans. “TJX made my job easier,” says Russo. “Every time one of these stories breaks, it's a fire drill as to how to handle the questions, but it raises awareness.” Russo insists compliance is going better than raw percentages would suggest. “The numbers are somewhat deceiving,” he says. “The part you don't see is that 90% of those Level 1 and Level 2 merchants [that are not in compliance] are on the road to compliance.” As defined by Visa USA, Level 1 retailers process more than 6 million Visa transactions per year; Level 2, between 1 million and 6 million. Many merchants not yet certified as compliant, he says, have completed so-called reports on compliance, a process that has taken them through the rules and forced them to plug leaks in their systems. To reach the smallest merchants, those doing fewer than 1 million transactions yearly, the council plans to launch webinars to present PCI and explain its rules and ways of becoming compliant. “It's not that they don't want to comply, it's that they don't know how to comply or don't know they need to comply,” Russo says. The webinars are likely to kick off by the end of the year, he notes, and will come with self-assessment questionnaires the council has already completed and is now vetting with its membership, which includes some 200 financial institutions and retailers as well as the card networks. American Express Co., Discover Financial Services LLC, JCB International Credit Card Ltd., MasterCard Worldwide, and Visa each owns one-fifth of the Wakefield, Mass.-based organization. The group has also gone through a nominating round on the way toward forming a 21-member advisory board drawn from its membership. Russo says the council received 109 nominations for 14 seats. “It's unbelievable enthusiasm,” he says. Seven seats will be appointed by the council to ensure representation of industry segments and world regions, he says. Online voting on the nominees will start in two weeks, and the council hopes to announce the members in June. In September, the council plans to hold what Russo calls a community meeting for its members, the aim of which will be to update PCI. The two-day conference will allow a wide-ranging discussion, he says. Conferees may decide to incorporate Visa's Payment Applications Best Practices (PABP), a set of recommendations for point-of-sale software security, into PCI, turning what have been suggestions into requirements. Already, the card network's rules for PIN-entry devices, the PED standard, has been brought under the PCI umbrella. Formed in September, the council administers the PCI standard. Along with promoting PCI, it also trains, tests, and certifies qualifed security assessors (QSAs) and approved scanning vendors (ASVs). The card networks, however, retain control over PCI enforcement.
Check Also
Fiserv and ADP Team up and other Digital Transactions News briefs from 11/20/24
Fiserv Inc. and ADP have agreed to offer as a package Fiserv technologies such as Clover …