Retailers and other major stakeholders in the payment card chain finally have an opportunity to guide enhancements to the Payment Card Industry (PCI) data security standard mandated by the five major credit card companies.
This week, 14 organizations -- including retailers Wal-Mart Stores and Tesco Stores of the United Kingdom -- were elected as the first members of the newly created Board of Advisors to the PCI Security Standards Council (PCI SSC). All were elected by members of a 200-strong community of retailers, banks and other organizations belonging to the PCI SSC, an independent body established in September by the credit card companies to manage the PCI standard worldwide.
The organizations will be responsible for collecting industry-wide feedback on the data security standard and influencing changes to it, said Seana Pitt, chair of the PCI SCC. Until now, the PCI standard has been entirely developed by just five credit card companies: Visa International, MasterCard Worldwide, American Express Discover and the Japan Credit Bureau.
Setting up the advisory board will address some of the "confusion and resistance" from companies directly affected by PCI that did not have a "seat at the table," Pitt said. "One of the key deliverables when we launched the council was to ensure that we had robust feedback from the marketplace to help us develop the standard. The election of our board of advisors is a key milestone."
Other members of the advisory board include British Airways, Bank of America, J.P Morgan Chase and APACS, a U.K. Payments Association. Seven more members, selected by the PCI security standards council will be added later. The goal is to ensure that the 21-member board has geographic and stakeholder diversity, Pitt said.
Michael Barrett, the CIO at PayPal and a member of the advisory board, called its creation a good step. "The PCI standard is extremely important in protecting the payment card industry, but it isn't a finished work of beauty yet. It's a work in progress. It has rough spots that need to be polished down" by people with experience implementing it.
As an advisory board member that already complies with PCI requirements, PayPal can offer real-world guidance on the standard to the council, he said. "We've seen where it works and where it doesn't and can therefore make suggestions for tweaking the language here or driving it in a slightly different direction there."
PCI basically prescribes a set of 12 broad security controls that all entities accepting credit or debit card transactions are required to implement. The controls cover a wide range of issues, including encryption, transaction logging and monitoring as well as strong authentication and access controls. The standard went into broad effect in June 2005 and since then has become a major implementation issue -- especially for larger companies that face heavy fines and increased transaction rates for non-compliance.
The creation of the advisory board and particularly the presence of retail heavyweights such as Wal-Mart and Tesco will ensure that all stakeholders have a voice, said Avivah Litan, an analyst with Gartner. "There's a lot of pent-up frustration in the market about not being able to help shape the standard," Litan said. The advisory board should be able to push the board of directors at the PCI security standards council to change that situation, she said.