In the ongoing fight against card fraud, the card industry has a useful ally in the PCI Council, a group that sets security standards for the processing of payment card transactions. "The PCI Council has been around since September 2006, and we're laser-focused on one thing, protecting credit card data, however it's stored, processed or transmitted," Bob Russo, general manager of the PCI Council, told us in an interview yesterday. The Council is announcing today that it has made changes to its standards process that will give merchants, banks and payment processors more time to adjust to new security recommendations.
What are the biggest threats to be addressed in the Council's next round of security upgrades? "Every year there are new and more innovative threats," Russo says. "This has morphed from the teenaged kid sitting in his grandmother's basement drinking Mountain Dew and seeing if he can hack into a system, to organized crime and state on state issues. People are trying to steal money — this is not for fun any more. It has changed and we have to stay ahead of it. The costs are way too high for everybody involved, not only the merchants, but the acquiring banks and the issuing banks, whenever there is a breach."
The PCI Council will release new standards for securing payment and card-related data and applications in October. But banks and merchants will have a 14-month grace period before they have to prove they're in compliance with the new standards; members will report on their compliance with the old standards through December 31, 2011. (The PCI Council's third standard, for PIN transaction security on PIN pads and kiosks, was already on a three year lifecycle.)
"The main reason we're doing this is because we've had a ton of feedback," Russo says, from the group's 550 member banks, merchants, POS vendors, EFT networks and associations, some of the largest in the world. "This is an attempt to give them more time to live with the standard, to understand it, and to give us feedback on it so we have more meaningful updates going forward."
Merchants especially sought more time to comply with new standards. "The merchants tend to think, we're busy doing our business, we don't have time to do this," Russo says. "The way they look at it, more time is always good." He notes that the standards are mature, they've been around since the Council formed in 2006, and the changes that have been made haven't been major. But still, "every time we release a standard there's some angst about complying with changes in the standard that people are not prepared to deal with. This gives them more time to get familiar with the standard, to build a better security strategy, and thereby more time to give us what we consider really meaningful feedback. This is not about speed but getting it right."
The Council holds community meetings in September and October of each year; this year they will be held in Orlando and Barcelona. New standards will emerge from these meetings that will take effect January 1st of next year.
Russo doesn't expect there will be too many surprises in the next round of standards. It will start publishing summaries of upcoming changes throughout the summer. "There's no need for angst; we try to make this as easy as possible," Russo says.